This is the accessible text file for GAO report number GAO-06-76
entitled 'Aviation Security: Federal Action Needed to Strengthen
Domestic Air Cargo Security' which was released on November 16, 2005.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States Government Accountability Office:
GAO:
Report to Congressional Requesters:
October 2005:
Aviation Security:
Federal Action Needed to Strengthen Domestic Air Cargo Security:
GAO-06-76:
GAO Highlights:
Highlights of GAO-06-76, a report to congressional requesters.
Why GAO Did This Study:
In 2004, an estimated 23 billion pounds of air cargo was transported
within the United States, about a quarter of which was transported on
passenger aircraft. Within the Department of Homeland Security (DHS),
the Transportation Security Administration (TSA) is responsible for
ensuring the security of commercial aviation, including the
transportation of cargo by air. To evaluate the status of TSA’s efforts
to secure domestic air cargo, GAO examined (1) the extent to which TSA
used a risk management approach to guide decisions on securing air
cargo, (2) the actions TSA has taken to ensure the security of air
cargo and the factors that may limit their effectiveness, and (3) TSA’s
plans for enhancing air cargo security and the challenges TSA and
industry stakeholders face in implementing these plans.
What GAO Found:
TSA has taken initial steps toward applying a risk-based management
approach to address air cargo security. A risk-based management
approach entails a continuous process of managing risk through a series
of actions, including setting strategic goals and objectives and
assessing risk through the identification and evaluation of threats,
vulnerabilities, and critical assets. In November 2003, TSA completed
an air cargo strategic plan that outlined a threat-based, risk
management approach to secure the air cargo system by, among other
things, targeting elevated risk cargo for inspection. TSA also
completed an updated threat assessment in April 2005. However, TSA has
not yet established a methodology and schedule for completing
assessments of air cargo vulnerabilities and critical assets—two
crucial elements of a risk-based management approach without which TSA
may not be able to appropriately focus its resources on the most
critical security needs.
TSA has taken a number of actions intended to strengthen air cargo
security, but factors exist that may limit their effectiveness. For
example, TSA established a centralized database on people and
businesses that routinely ship air cargo to improve information on
known shippers. However, we identified problems with the reliability of
the information in the database, and how TSA is using the information
to identify shippers who may pose a risk. TSA has also established
requirements for air carriers to randomly inspect air cargo, but has
exempted some cargo from inspection, potentially creating security
weaknesses. Further, TSA conducts audits of air carriers and indirect
air carriers to ensure that they are complying with existing air cargo
security requirements. However, TSA has not developed measures to
assess the adequacy of air carrier and indirect air carrier compliance,
systematically analyzed these audit results to target future
inspections, or assessed the effectiveness of its enforcement actions
to ensure compliance with air cargo security requirements.
TSA’s plans for enhancing air cargo security focus on implementing a
system for targeting and inspecting elevated risk cargo, and requiring
air carriers to conduct security threat assessments on thousands of
cargo workers, among other efforts. However, these plans may pose
financial, operational, and technological challenges to the agency and
air cargo industry stakeholders. For example, stakeholders are
concerned, and our analysis identified, that TSA may have
underestimated the cost of its proposed measures.
Figure: Air Cargo Being Loaded and Inspected Using an Explosive
Detection System:
[See PDF for image]
This figure contains two photographs of air cargo being loaded and
inspected using an Explosive Detection System.
Source: GAO and TSA.
What GAO Recommends:
GAO recommends that DHS direct TSA to complete assessments of air cargo
vulnerabilities and critical assets; reexamine the rationale for
existing air cargo inspection exemptions; develop measures to gauge air
carrier and indirect air carrier compliance; assess the effectiveness
of compliance enforcement actions; and ensure that the data to be used
in identifying elevated risk cargo are complete, accurate, and current.
DHS reviewed a draft of this report and generally concurred with GAO’s
recommendations.
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-76].
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Cathleen Berrick at (202)
512-8777 or berrickc@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
TSA Has Developed a Risk-Based Strategic Plan but Has Not Completed
Assessments of the Risks Posed by Terrorists to the Air Cargo System:
TSA Has Implemented Actions Intended to Strengthen Air Cargo Security,
but Factors Exist That May Limit Their Effectiveness:
TSA Plans to Enhance Air Cargo Security, but Implementing These Plans
Poses Challenges to the Agency and Air Cargo Stakeholders:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: Federal Agency Roles in Air Cargo Security:
Appendix III: Timeline of Significant Events Related to Air Cargo
Security:
Appendix IV: ASAC Representatives in the 2003 Air Cargo Working Group:
Appendix V: Testing Explosive Detection System Technologies for
Inspecting Air Cargo:
Appendix VI: Testing the Use of TSA-Certified Explosives Detection
Canine Teams:
Appendix VII: New Technologies Selected by TSA for Further Development
and Testing:
Appendix VIII: Comments from the Department of Homeland Security:
Appendix IX: GAO Contacts and Staff Acknowledgments:
Tables:
Table 1: Elements of a Typical Homeland Security Risk Assessment:
Table 2: Potential Challenges Associated with Using Current and New and
Emerging Technology to Inspect Air Cargo:
Table 3: TSA's Proposed Air Cargo Security Measures:
Table 4: Federal Agency Roles in Air Cargo Security:
Figures:
Figure 1: Flow of Cargo from Shipper to Air Carrier:
Figure 2: Risk Management Cycle:
Figure 3: TSA Air Cargo Security Compliance Inspection Results for the
Period between January 1, 2003, and January 31, 2005:
Figure 4: Top 10 Areas in Which Violations Were Found During Air Cargo
Inspections for the Period January 1, 2003, to January 31, 2005:
Figure 5: Timeline of Significant Events Related to Air Cargo Security:
Figure 6: EDS Technology Inspecting Break Bulk Cargo:
Abbreviations:
ASAC: Aviation Security Advisory Committee:
ASI: aviation security inspector:
ATSA: Aviation and Transportation Security Act:
CBP: U.S. Customs and Border Protection:
DHS: Department of Homeland Security:
EDS: explosive detection system:
ETD: explosive trace detection:
FBI: Federal Bureau of Investigation:
FSD: Federal Security Director:
PARIS: Performance and Results Information System:
STA: security threat assessment:
SIDA: security identification display area:
TSA: Transportation Security Administration:
TWIC: Transportation Worker Identification Credential:
[End of section]
United States Government Accountability Office: Washington, DC 20548:
October 17, 2005:
Congressional Requesters:
In the aftermath of the September 11, 2001, terrorist attacks, aviation
security, including the security of cargo carried on passenger and all-
cargo aircraft, became a growing concern both to the public and to
members of Congress. Since the attacks, several instances of human
stowaways in the cargo holds of all-cargo aircraft have further
heightened the concern over air cargo security by revealing
vulnerabilities that could potentially threaten the entire air
transportation system. The Aviation and Transportation Security Act
(ATSA), enacted in November 2001, required the screening of all
passengers and property, including cargo, United States mail, and carry-
on and checked baggage that is carried on board commercial passenger
aircraft.[Footnote 1] It also required that a system be put in place as
soon as practicable to screen, inspect, or otherwise ensure the
security of cargo on all-cargo aircraft.[Footnote 2] Within the
Department of Homeland Security (DHS), the Transportation Security
Administration (TSA) is responsible for overseeing aviation security to
ensure the security of the air traveling public. While TSA has focused
much of its attention on meeting requirements to screen 100 percent of
passengers and baggage, less attention has been paid to securing air
cargo transported on passenger and all-cargo aircraft.
In 2004, an estimated 23 billion pounds of air cargo were transported
within the United States, with about a quarter of this amount
transported on passenger aircraft. Recently, DHS reported that most
cargo on passenger aircraft is not physically inspected.[Footnote 3]
Specifically, according to industry estimates, only a very small
percentage of the total cargo placed on passenger aircraft is
physically screened or inspected.[Footnote 4] To enhance air cargo
security, Congress recently enacted legislation authorizing $902
million for air cargo security and required that TSA take additional
steps to secure air cargo, including increasing the percentage of cargo
being inspected on passenger aircraft.[Footnote 5] We have previously
reported on the need for TSA to strengthen air cargo security, and the
challenges TSA faces in determining how to allocate its resources to
manage risks while addressing threats and enhancing security both
within aviation and across all modes of transportation.[Footnote 6]
This evolving approach, referred to as risk management, entails a
continuous process of managing risk through a series of actions,
including setting strategic goals and objectives and assessing risk
through the identification and evaluation of threats, vulnerabilities,
and critical assets, among other efforts.
To help Congress evaluate the status of TSA's efforts to secure
domestic air cargo, we answered the following questions: (1) To what
extent has TSA used a risk management approach to guide decisions on
securing air cargo? (2) What actions has TSA taken to ensure the
security of air cargo, and what factors may limit their effectiveness?
(3) What are TSA's plans for enhancing air cargo security, and what
financial, operational, and other challenges do TSA and industry
stakeholders face in implementing these plans?
To answer these questions, we interviewed TSA headquarters officials
responsible for managing the agency's air cargo security program. We
reviewed laws and regulations related to air cargo security and TSA air
cargo security directives and guidance to determine the requirements
placed on air carriers and indirect air carriers for ensuring air cargo
security.[Footnote 7] To determine the extent to which TSA has used a
risk management approach to guide decisions on securing air cargo, we
compared the elements of our risk management approach with TSA's
efforts to implement such an approach. A complete risk-based management
approach includes setting strategic goals and objectives; assessing
risk (threat, vulnerabilities, and criticality); evaluating
alternatives; selecting initiatives to undertake; and implementing and
monitoring those initiatives. This report examines the two risk
management efforts TSA has focused on thus far related to air cargo
security--setting strategic goals and objectives and assessing risk.
Regarding risk assessment, we interviewed air cargo industry
stakeholders to obtain their views on the timeliness, specificity, and
clarity of threat information provided by TSA.[Footnote 8] We also
analyzed data on TSA's compliance inspections to determine the agency's
progress in evaluating industry compliance with existing air cargo
security requirements. We discussed the reliability of TSA's compliance
inspection data for fiscal years 2002, 2003, and 2004 with TSA
officials in charge of this effort, and concluded that they were
sufficiently reliable for the purposes of this review. To obtain
information on government and industry actions and plans to secure air
cargo, we interviewed TSA officials and air cargo industry
stakeholders. We also reviewed TSA's Air Cargo Strategic Plan and
proposed air cargo security rule, including comments on the regulation
and costs associated with implementing the proposal.[Footnote 9] In
addition, we conducted site visits to 12 United States commercial
airports to observe air cargo security operations and pilot testing of
cargo inspection technology, including explosive detection systems
(EDS).[Footnote 10] We selected these airports based on several
factors, including airport size, geographical dispersion, and the
volume of air cargo transported to and from these airports.[Footnote
11] Because we selected a nonprobability sample of airports, the
results from these visits cannot be generalized to other United States
commercial airports. More detailed information on our scope and
methodology is contained in appendix I. We conducted our work between
June 2004 and September 2005 in accordance with generally accepted
government auditing standards. We issued a restricted version of this
report on July 29, 2005.[Footnote 12] This report contains information
presented in that report with all sensitive security information
removed.
Results in Brief:
TSA has taken steps toward applying a risk-based management approach to
addressing air cargo security, including conducting threat assessments.
However, TSA has not conducted assessments of air cargo vulnerabilities
and critical assets, such as cargo facilities and aircraft. TSA
completed an Air Cargo Strategic Plan in November 2003 that outlined a
threat-based risk management approach to securing the nation's air
cargo transportation system. TSA's plan identifies strategic objectives
and priority actions for enhancing air cargo security based on risk,
cost, and deadlines. The plan describes TSA's commitment to inspect 100
percent of elevated risk cargo, and ensure the security of the entire
air cargo supply chain[Footnote 13]. The plan focused on two threats to
air cargo security--preventing the introduction of an explosive device
on a passenger aircraft and the hijacking of an all-cargo aircraft,
resulting in its use to inflict mass destruction. To address these
threats, the plan highlighted four strategic objectives: (1) enhancing
cargo shipper and cargo supply chain security, (2) identifying elevated
risk cargo through prescreening, (3) identifying technology for
performing inspections of elevated risk cargo, and (4) strengthening
the security of all-cargo aircraft and cargo operation areas. In
November 2004, TSA issued a proposed air cargo security rule that would
implement many of the objectives and associated actions identified in
the strategic plan. These include enhancing the Known Shipper program,
which allows individuals or businesses with established histories to
ship cargo on passenger carriers, and improving the security of air
carriers. TSA expected to issue the final rule by mid-August 2005.
However, as of September 2005, this rule has not been issued. TSA is
also in the process of assessing the risks terrorists pose to air
cargo--another key component of risk management. For example, TSA
conducted an air cargo threat assessment in June 2004 and updated its
assessment in April 2005. However, TSA has not completed a methodology
for assessing the vulnerability and criticality of air cargo assets, or
established a schedule for conducting such assessments because of
competing agency efforts to address other areas of aviation security.
Moreover, TSA's existing tools for assessing vulnerability have not
been adapted for use in conducting air cargo assessments, nor has TSA
established a schedule for when these tools would be ready for use. TSA
has also not systematically collected and used information on air cargo
security breaches, which could provide useful information to identify
the full range of potential air cargo security vulnerabilities. Without
fully assessing the risks posed by terrorists to the air cargo system,
TSA is limited in its ability to identify potential air cargo security
vulnerabilities and focus its resources on those areas representing the
most critical security needs.
TSA has implemented a number of actions intended to strengthen air
cargo security, but factors exist that may limit the effectiveness of
these efforts. For example, TSA has established a centralized Known
Shipper database to streamline the process by which shippers
(individuals and businesses) are made known to carriers with whom they
conduct business. However, the information in this database on the
universe of shippers is incomplete, because participation in this
database is currently voluntary and the information in the database may
not be reliable. TSA estimates the agency's centralized database
contains information on about 400,000 known shippers, or less than one-
third of the total population of known shippers, which is estimated to
be about 1.5 million. Moreover, TSA has not taken needed steps to
identify shippers who may pose a security threat, in part because TSA
has incomplete information on known shippers. Through its proposed air
cargo security rule, TSA plans to make the Known Shipper database
mandatory by requiring air carriers and indirect air carriers to submit
information on their known shippers to TSA's Known Shipper database.
According to TSA officials, the agency also plans to take further steps
to identify those shippers who may pose a security risk. Although TSA
has established requirements for passenger and all-cargo carriers to
randomly inspect cargo they transport, the agency has exempted certain
cargo from inspection because of its nature and size. Local TSA
officials and officials representing airports, air carriers, and
indirect air carriers we spoke with recognize that some of these
exemptions may create potential vulnerabilities in the air cargo
security system. To ensure that existing air cargo security
requirements are being implemented, TSA conducts audits, referred to as
compliance inspections, of air carriers and indirect air carriers.
These compliance inspections range from a comprehensive review of the
implementation of all air cargo security requirements by an air carrier
or indirect air carrier to a review of just one or several security
requirements. TSA reported conducting about 37,000 air cargo compliance
inspections from January 2003 through January 2005. However, TSA has
not determined what constitutes an acceptable level of performance or
compared air carriers and indirect air carriers' performance against
this standard, analyzed the results of inspections to systematically
target future inspections on those entities that pose a higher security
risk to the domestic air cargo system, or assessed the effectiveness of
its enforcement actions taken against air carriers and indirect air
carriers to ensure that they are complying with air cargo security
requirements.
TSA's plans for enhancing air cargo security focus on implementing a
system for targeting and inspecting elevated risk cargo, developing and
testing air cargo inspection technology, and implementing enhancements
proposed in its air cargo security rule. However, these planned
enhancements may pose operational, financial, and technological
challenges to the agency and air cargo industry stakeholders.
Specifically, TSA is developing a system to target elevated risk cargo
for inspection that would minimize the agency's reliance on random
inspections. This system, referred to as Freight Assessment, would
compare information on individual cargo shipments and shippers, among
other things, against targeting criteria to assign a risk level to
cargo. Cargo identified as posing an elevated risk would then be
subject to additional inspection through physical searches or
nonintrusive technology, such as X-ray systems. TSA plans to develop
this system because the agency concluded that inspection of all air
cargo would have a negative impact on the flow of commerce and is
currently not technologically feasible. Although the agency
acknowledges that the successful development of the targeting system is
contingent upon having complete, accurate, and current targeting
information, the agency has not yet completed efforts to ensure
information that will be used by the system is reliable. TSA plans to
pilot-test this targeting system in early 2006, with a phased-in
deployment during calendar years 2006 and 2007. TSA is also testing new
and available technologies to determine their applicability to
inspecting air cargo. However, according to TSA officials, the agency
will need to analyze the results of its technology tests before it
determines which technologies will be certified for inspecting elevated
risk cargo and whether it will require carriers to use such technology.
Further, through its proposed air cargo security rule, TSA would
require air carriers and indirect air carriers to secure air cargo
facilities, screen all individual persons boarding all-cargo aircraft,
and conduct security checks on air cargo workers. In commenting on the
proposed rule, industry stakeholders representing air carriers,
indirect air carriers, and airport authorities stated that several of
the proposals may be costly and difficult to implement. Specifically,
these industry stakeholders stated that TSA may have significantly
underestimated the costs associated with implementing these proposed
measures, particularly those requiring air carriers to conduct security
threat assessments on thousands of air cargo workers and random
inspections on a percentage of air cargo. TSA estimated that the
proposed air cargo rule will cost $637 million (in discounted 2003
dollars) over a 10-year period to implement. Our analysis of TSA's
estimate identified concerns with the agency's methodology and suggests
that TSA's cost figures may have been underestimated. According to TSA
officials, the agency plans to reassess its cost estimates before
issuing its final air cargo security rule. As of September 2005, the
final rule has not been issued.
We are making several recommendations to assist TSA in strengthening
the security of the domestic air cargo transportation system. These
include (1) developing a methodology and schedule for completing
assessments of air cargo vulnerabilities and critical assets; (2)
reexamining the rationale for existing air cargo inspection exemptions;
(3) developing measures to gauge air carrier and indirect air carrier
compliance with air cargo security requirements; (4) developing a plan
for systematically analyzing and using the results of air cargo
compliance inspections to target future inspections and identify
systemwide corrective actions; (5) assessing the effectiveness of
enforcement actions in ensuring air carrier and indirect air carrier
compliance with air cargo security requirements; (6) and ensuring that
the data to be used in the Freight Assessment System are complete,
accurate, and current.
We provided a draft of this report to DHS for review. DHS, in its
written comments, generally concurred with the findings and
recommendations in the report. The full text of DHS's comments is
included in appendix VIII.
Background:
Safeguarding the nation's air cargo transportation system is a shared
public and private sector responsibility. While TSA enforces statutory
and regulatory requirements, provides guidance on securing air cargo,
and provides some funding, air carriers and indirect air carriers have
operational responsibility for implementing security requirements
issued by TSA.[Footnote 14] The Aviation and Transportation Security
Act (ATSA) charged TSA with the responsibility for ensuring the
security of the nation's transportation systems, including the
transportation of cargo by air.[Footnote 15] Specifically, TSA's
responsibilities include (1) establishing security rules and
regulations covering domestic and foreign passenger carriers that
transport cargo, domestic and foreign all-cargo air carriers, and
domestic indirect air carriers;[Footnote 16] (2) overseeing
implementation of air cargo security requirements by air carriers and
indirect air carriers through compliance inspections; and (3)
conducting research and development of air cargo security
technologies.[Footnote 17] Section 130 of ATSA also requires TSA to
take actions consistent with the Government Performance and Results Act
of 1993, which states that agencies must use outcome-oriented goals and
measures that assess results, effects, or impacts of a program or
activity compared with its intended purpose. TSA officials stated that
the agency has developed performance goals for the overall air cargo
security program consistent with the Government Performance and Results
Act. These goals include the percentage of known shipper cargo
inspected on passenger aircraft, the percentage of regulatory
compliance inspections completed, and the percentage of assets that
remain below acceptable levels of risk for all threat scenarios for air
cargo.
Air carriers (passenger and all-cargo) and indirect air carriers are
responsible for implementing TSA security requirements, including
maintaining a TSA-approved security program that describes the security
policies, procedures, and systems the air carrier and indirect air
carrier must implement in order to comply with TSA security
requirements.[Footnote 18] These requirements include measures related
to the acceptance, handling, and inspection of cargo; training of
employees in security and cargo inspection procedures; testing employee
proficiency in cargo inspection; and access to cargo areas and
aircraft. Although TSA screens or inspects passengers and their
baggage, it does not do so for air cargo. Instead, TSA regulations
assign this responsibility to air carriers. TSA also does not directly
regulate individuals or businesses that have their cargo shipped by
air.
Air cargo includes freight and express packages that range in size from
small to very large, and in type from car engines, electronic
equipment, machine parts, apparel, medical supplies, human remains, to
fresh-cut flowers, fresh seafood, fresh produce, tropical fish, and
other perishable goods. Cargo can be shipped in various forms,
including in unit-loading devices, wooden crates, assembled pallets, or
individually wrapped/boxed pieces, known as break bulk cargo.[Footnote
19]
Participants in the air cargo shipping process include potentially
millions of individuals and businesses that ship their cargo on all-
cargo aircraft; about 1.5 million known entities, such as
manufacturers, that ship their products on passenger aircraft; about
3,800 indirect air carriers, also known as freight forwarders, who
operate about 10,000 facilities nationwide where they consolidate
shipments and deliver them to air carriers; and 285 passenger and all-
cargo air carriers that use their cargo facilities to store cargo until
it is placed onboard an aircraft for transport. There are about 2,800
such facilities or stations at commercial United States
airports.[Footnote 20] Figure 1 depicts these participants and the two
primary ways in which a shipper can send cargo by air.
Figure 1: Flow of Cargo from Shipper to Air Carrier:
[See PDF for image]
This figure is an illustration of the flow of cargo from shipper to air
carrier. The following two scenarios are depicted:
Flow of Cargo from Shipper to Air Carrier: From Shipper/manufacturer,
goes to:
Pickup; goes to:
Consolidation; goes to:
Airport sorting center; goes to:
Air Carrier.
Or:
Flow of Cargo from Shipper to Air Carrier: From Shipper/manufacturer,
goes to:
Pickup; goes to:
Airport sorting center; goes to:
Air Carrier.
Source: GAO analysis of TSA information.
[End of figure]
As illustrated in figure 1, shippers typically send cargo by air in one
of two ways. A shipper may take its packages to indirect air carriers,
which consolidate air cargo from many shippers and deliver it to air
carriers. The indirect air carrier usually has cargo facilities located
in or near airports and uses trucks to deliver bulk freight to
commercial air carriers--either to a cargo facility or to a small-
package receiving area at the ticket counter. According to TSA, about
80 percent of shippers use indirect air carriers. A shipper may also
send cargo by directly packaging and delivering it to an air carrier's
airport sorting center. Under both scenarios, the shipper may employ a
representative or agent to act on its behalf. The shipper may also have
cargo picked up and delivered by an all-cargo carrier.
In 2004, an estimated 23 billion pounds of cargo was shipped within the
United States by air. About three-quarters of this amount, or 17
billion pounds, traveled aboard all-cargo aircraft, while the remaining
6 billion pounds traveled aboard passenger aircraft.[Footnote 21]
Typically, about one-half of the hulls of each passenger aircraft
transporting cargo are filled with cargo. Air cargo is a significant
source of revenue to air carriers, bringing in about $17 billion for
passenger airlines in 2004.[Footnote 22]
To support TSA's efforts to address air cargo security, Congress
provided the agency with varying levels of funding over the last 2
fiscal years. For example, in fiscal year 2004, Congress, through the
DHS 2004 Appropriations Act conference report, directed TSA to spend
$85 million for air cargo security, including $55 million for
conducting research and development of air cargo inspection
technologies.[Footnote 23] In fiscal year 2005, Congress, through the
DHS 2005 Appropriations Act conference report, directed TSA to spend
$118 million for air cargo security activities, including the hiring of
additional air cargo inspectors, continued research and development of
technologies to provide more effective and efficient methods of
detecting air cargo threats, and expanding the number of TSA-certified
explosive detection canine teams deployed to inspect air cargo.
[Footnote 24] The conference report further requires that DHS act
expeditiously to fully obligate and expend the funding provided for air
cargo security, and directs TSA to provide quarterly reports to the
House and Senate Appropriations Committees beginning in December 2004
on the use of all funds obligated and plans for the use of unobligated
balances related to air cargo security. The Intelligence Reform and
Terrorism Prevention Act of 2004, (Intelligence Reform Act) also
authorized $902 million for air cargo security activities for fiscal
years 2005 through 2007, including $200 million each year to improve
aviation security related to the transportation of cargo on both
passenger and all-cargo aircraft, $100 million each year for research
and development related to enhanced air cargo security technology and
the deployment and installation of such enhanced technology, and $2
million to support efforts to explore alternative technologies for
minimizing the potential effects of detonating an explosive device on
cargo and passenger aircraft.[Footnote 25] The President's fiscal year
2006 budget requested $40 million for TSA to ensure the security of air
cargo. According to the request, this amount includes funds for
supporting the 200 air cargo inspectors, continuing the development and
improvement of the Known Shipper and indirect air carrier databases,
supporting the canine explosive detection program, and field-testing
the agency's air cargo targeting program, among other things. See
appendix III for a timeline of significant events in air cargo security
following the terrorist attacks of September 11, including additional
TSA requirements and enacted legislation.
As we have previously reported, given the vast transportation network
and its importance to commerce, quick and easy access for passengers
and cargo must be maintained while identifying the best possible
strategies for security.[Footnote 26] Consistent with this goal, we
have advocated the need to implement--at TSA and throughout the federal
government--a risk management approach for prioritizing efforts and
focusing resources. A risk management approach entails a continuous
process of managing risk through a series of actions, including setting
strategic goals and objectives, assessing risk, evaluating
alternatives, selecting initiatives to undertake, and implementing and
monitoring those initiatives. The President's fiscal year 2006 budget
request recognizes the need for TSA to identify, prioritize, and manage
risks, and mitigate the impact of potential incidents, to help ensure
that the best security strategies are pursued. Figure 2 depicts a risk
management cycle that is a synthesis of government requirements and
best practices, as previously reported.[Footnote 27] Elements of
strategic planning and risk assessments implemented for air cargo
security are separately identified.
Figure 2: Risk Management Cycle:
[See PDF for image]
This figure is an illustration of the risk management cycle. The cycle
forms a circle to illustrate a continual process. The process is
depicted as follows:
Strategic Goals, Objectives and Constraints:
* Department of Homeland Security Strategic Plan;
* Transportation Security Administration Strategic Plan;
* Transportation Security Administration Air Cargo Strategic Plan;
Flow to:
Risk Management:
* Threat Assessment;
* Vulnerability Assessment;
* Criticality/consequence Assessment.
Flow to:
Alternatives evaluation; flow to:
Management selection; flow to:
Implementation and monitoring; cycle repeats.
Source: GAO.
[End of figure]
TSA has committed to implementing a risk management approach for
securing air cargo and has to date focused its efforts on the first two
elements of this approach, setting strategic goals, objectives, and
constraints, and developing a risk assessment.
Setting strategic goals, objectives, and constraints is a key first
step in implementing a risk management approach and helps to ensure
that management decisions are focused on achieving a purpose. These
decisions should take place in the context of an agency's strategic
plan that includes goals and objectives that are clear and concise.
These goals and objectives should identify resource issues and external
factors to achieving the goals. Further, the goals and objectives of an
agency should link to a department's overall strategic plan. The
ability to achieve strategic goals depends, in part, on how well an
agency manages risk. The agency's strategic plan should address risk-
related issues that are central to the agency's overall mission.
Assessing risk, a critical component of a risk management approach in a
homeland security setting, typically involves three key elements--
threats, vulnerabilities, and criticality--that provide input into the
decision-making process for homeland security. A threat assessment
identifies and evaluates potential threats on the basis of factors such
as capabilities, intentions, and past activities. A vulnerability
assessment identifies weaknesses that may be exploited by identified
threats and suggests options to address those weaknesses. A criticality
assessment evaluates and prioritizes assets and functions in terms of
specific criteria, such as their importance to public safety and the
economy, as a basis for identifying which structures or processes are
relatively more important to protect from attack. Information from
these three assessments can lead to a risk characterization, such as
high, medium, or low, and provides input for prioritizing security
initiatives.[Footnote 28] Table 1 describes the elements of a risk
assessment.
Table 1: Elements of a Typical Homeland Security Risk Assessment:
A threat assessment:
Threat is defined as a potential intent to cause harm or damage to an
asset (e.g., natural environment, people, manmade infrastructures, and
activities and operations). Threat assessments consist of the
identification of adverse events that can potentially affect an entity.
Threats might be present at the global, national, or local level, and
their sources include terrorists and criminal enterprises. Specific
threat information may indicate vulnerabilities that are subject to
attack or following the completion of a risk management process, may,
for instance, indicate that resources should be temporarily deployed to
protect cargo in a particular region of the country or a specific
airport. Even if updated frequently, a threat assessment might not
adequately capture some emerging threats.
A vulnerability assessment:
Vulnerability is defined as the inherent state (either physical,
technical, or operational) of an asset that can be exploited by an
adversary to cause harm or damage. Vulnerability assessments identify
these inherent states and the extent of their susceptibility to
exploitation, relative to the existence of any countermeasures. A
vulnerability assessment is generally conducted by a team of experts
skilled in such areas as engineering, intelligence, security,
information systems, finance, and other disciplines.
A criticality assessment:
Criticality is defined as an asset's relative importance given that an
event occurs. Criticality or similar consequence assessments identify
and evaluate an entity's assets based on a variety of factors,
including the importance of its mission or function, the extent to
which people are at risk, or the significance of a structure or system
in terms of, for example, national security, economic activity, or
public safety. Criticality or consequence assessments are important
because they provide, in combination with threat and vulnerability
assessments, information for later stages of the risk management
process.
[End of table]
Source: GAO.
TSA Has Developed a Risk-Based Strategic Plan but Has Not Completed
Assessments of the Risks Posed by Terrorists to the Air Cargo System:
TSA has taken initial steps toward applying a risk-based management
approach to address air cargo security but not yet completed risk
assessments for air cargo security. Specifically, in November 2003, TSA
completed an Air Cargo Strategic Plan that included goals and
objectives that tie into broader aviation and homeland security goals.
This plan incorporates recommendations provided by industry
stakeholders and outlines a threat-based risk management approach for
securing the air cargo transportation system. Specifically, this plan
is based on two primary threats--preventing the introduction of an
explosive device on a passenger aircraft and the hijacking of an all-
cargo aircraft resulting in its use as a weapon to inflict mass
destruction. In November 2004, TSA issued a proposed rule to implement
many of the actions identified in the strategic plan. TSA is also in
various stages of assessing the risk posed by terrorists to the air
cargo transportation system--a key aspect of risk management. However,
while TSA has conducted a threat assessment to identify terrorist
threats to the air cargo transportation system, TSA has not yet
conducted assessments to identify air cargo security vulnerabilities
and critical air cargo assets. TSA has acknowledged the need to conduct
these assessments but has not yet completed a methodology or schedule
for completing them. As a result, TSA is limited in its ability to
fully address the risks posed by terrorists because some potential air
cargo security vulnerabilities may have gone undetected. Further, TSA
cannot be assured that it is focusing its resources on those air cargo
assets that are determined to be critical and therefore represent the
most pressing security needs.
TSA Has Worked with Industry Stakeholders to Develop an Air Cargo
Strategic Plan:
Establishing strategic goals and objectives is the key first component
of a risk management approach. The Government Performance and Results
Act of 1993, among other things, requires agencies to prepare an annual
performance plan and directs executive agencies to articulate goals and
strategies for achieving those goals.[Footnote 29] More specifically,
agencies are required to develop a strategic plan that contains a
comprehensive mission statement covering the major functions and
operations of the agency and outlines how an agency will achieve its
goals and objectives. In December 2002, we reported that TSA lacked a
comprehensive plan with long-term goals and performance targets for air
cargo security, time frames for completing security improvements, and
risk-based criteria for prioritizing actions to achieve those
goals.[Footnote 30] We recommended that TSA develop a comprehensive
plan for air cargo security that incorporated a risk management
approach. Specifically, we stated that this plan should provide a
framework for systematically evaluating and prioritizing technological
and operational improvements, and for identifying and implementing
additional improvements. We also stated that such a plan should provide
a framework for developing a system to ensure air cargo security.
In January 2003, TSA partnered with the Aviation Security Advisory
Committee (ASAC) to establish a working group to address air cargo
security issues.[Footnote 31] TSA officials stated that the
establishment of the working group was a first step in addressing our
recommendation calling for a risk-based approach to enhancing air cargo
security. The ASAC working group consisted of three subgroups that
focused on shipper acceptance procedures, indirect air carriers, and
securing all-cargo aircraft. These groups collectively developed over
40 recommendations for enhancing air cargo security that were issued to
TSA in October 2003. Representatives from various sectors of the air
cargo industry participated in these working groups, including those
from passenger and all-cargo carriers, indirect air carriers,
government agencies, unions representing pilots and flight attendants,
and the victims from Pan Am flight 103.
In November 2003, TSA issued its Air Cargo Strategic Plan, which
incorporated many of the ASAC working groups' recommendations to
enhance air cargo security. The plan focuses on securing the air cargo
supply and transportation system through the implementation of a
layered security approach. This includes screening, or reviewing
specific information on all cargo shipments, in order to determine
their level of relative risk; ensuring that 100 percent of cargo
identified as posing an elevated risk is physically inspected; pursuing
technological solutions to physically inspect air cargo; and
implementing regulations and programs that support enhanced security
measures. To achieve these goals, TSA's plan identifies strategic
objectives and priority actions for enhancing air cargo security based
on risk, cost, and deadlines.
TSA's air cargo security objectives tie into broader aviation and
homeland security goals and objectives contained in TSA's agencywide
strategic plan and the Department of Homeland Security's strategic
plan. For example, TSA's air cargo plan addresses broader agency and
departmental goals by proposing the establishment of a system to
identify elevated risk cargo through prescreening. This goal of the air
cargo plan supports one of TSA's agencywide goals of identifying
technology for performing inspections of elevated risk cargo. In turn,
this agencywide goal of TSA supports DHS's broad goal of safeguarding
critical infrastructure, property, and the nation's economy from
terrorism acts or other emergencies. The air cargo plan also calls for
a coordinated effort in three other strategic areas--enhancing shipper
and supply chain security, identifying technology for performing
inspection of elevated risk air cargo, and securing all-cargo aircraft
and operation areas through appropriate physical security measures.
These efforts support TSA's strategic goal to deter foreign and
domestic terrorists and others from causing harm or disrupting the
transportation system by implementing preventive and protective
measures to mitigate risk to this system. DHS's corresponding strategic
goal is to detect, deter, and mitigate threats by strengthening the
security of the nation's transportation systems.
While TSA Has Identified Terrorist Threats, It Has Not Assessed
Vulnerabilities and Criticality of Air Cargo Assets:
Risk assessment is a systematic process used to analyze threats,
vulnerabilities, and the criticality of assets to better support key
decisions. We have previously reported that without using a risk
management approach, TSA and other federal decision makers cannot know
whether resources are being deployed as effectively and efficiently as
possible to reduce the risk and mitigate the consequences of a
terrorist attack.[Footnote 32] The importance of a risk management
approach was also highlighted by the National Commission on Terrorist
Attacks upon the United States (also known as the 9/11
Commission).[Footnote 33] The commission noted that the United States
government should identify and evaluate the transportation assets that
need to be protected, set risk-based priorities for defending them,
select the most practical and cost-effective ways of doing so, and
develop a plan, budget, and funding to implement the effort.[Footnote
34] The commission further reported that the plan should assign related
roles and missions to the relevant federal, state, and local
authorities and to private stakeholders. TSA has acknowledged the need
to assess the risks associated with air cargo security and is in
various phases of conducting these assessments. However, while TSA has
completed an assessment of air cargo threats, the agency has not yet
developed a methodology or schedule for completing assessments of air
cargo vulnerabilities or critical assets.
TSA Has Identified Terrorist Threats to Air Cargo:
In TSA's 2003 Air Cargo Strategic Plan, the agency outlined an approach
for securing the air cargo transportation system based on two threats.
These threats include the introduction of an explosive device on a
passenger aircraft and the hijacking of an all-cargo aircraft resulting
in its use as a weapon to inflict mass destruction.[Footnote 35]
In June 2004, a TSA air cargo security threat assessment confirmed the
threats identified in the agency's Air Cargo Strategic Plan and
provided additional information on other general and specific threats
to the air cargo industry.[Footnote 36] In October 2004, TSA conducted
additional threat assessments, focusing on United States mail and
threats to the United States commercial aviation system. These
assessments identified the same threats to the air cargo transportation
system documented in TSA's June 2004 assessment. More recently, in
April 2005, TSA briefed a congressional committee on threats to the
nation's entire transportation sector, including aviation. The briefing
included a threat matrix that ranked the risk associated with the
different transportation modes and showed threats to the air cargo
system that were consistent with previous threat assessments. (The
details of TSA threat assessments and the briefing are classified.) TSA
officials acknowledged the need to periodically reassess the terrorist
threats to air cargo and stated that the agency's air cargo threat
assessment would be updated as new or additional information on air
cargo security threats is identified.[Footnote 37] In June 2005, TSA
officials requested that the agency's Transportation Security
Intelligence Service (TSIS) update the air cargo threat assessment.
According to TSA officials, they have not been provided a date for when
this assessment will be completed.
TSA officials stated that because the agency does not independently
gather intelligence information, the agency is dependent upon sources,
such as DHS's Directorate of Information Analysis and Infrastructure
Protection, the Federal Bureau of Investigation (FBI), and the Central
Intelligence Agency, for information on air cargo security-related
threats. According to agency officials, TSA's TSIS reviews intelligence
information upon receipt and analyzes such information to determine
whether policy decisions are needed to address the identified threats.
Such policy decisions could include immediate actions to safeguard air
cargo through the issuance of security directives or long-term
strategic planning efforts to enhance the overall security of the
nation's air cargo transportation system.
Some air cargo industry stakeholders agreed with TSA's decision to
focus efforts on strengthening air cargo security based on the two
threats described in the agency's strategic plan and proposed air cargo
security rule. For example, one passenger air carrier representative
said that his company supported TSA's decision to increase supply chain
security in a post-September 11 environment. However, other air cargo
stakeholders noted that TSA plans to enhance air cargo security do not
sufficiently address another potential threat to the air cargo
transportation system. Specifically, in comments to TSA's proposed air
cargo security rule, associations representing airline pilots, some
security technology experts, airline passenger groups, and airport
operators stated that the third threat--the introduction of an
explosive device containing a weapon of mass destruction on an all-
cargo aircraft--warrants greater emphasis in the agency's near-and long-
term air cargo security plans. In discussing this issue, TSA officials
stated that the agency decided to focus on the two threats cited above
because they are the most likely scenarios to occur. TSA officials also
stated that they address potential threats as needed. In June 2005, TSA
officials stated that DHS is concerned about a new and emerging threat
to air cargo on a passenger aircraft.[Footnote 38] According to TSA
officials, the agency is reviewing the likelihood that this threat
would occur and what actions would need to be taken to mitigate the
threat.
TSA Disseminates Air Cargo Security Threat Information, but Industry
Stakeholders Have Varying Views on the Quality of the Information
Received:
TSA disseminates threat information related to air cargo security to
relevant stakeholders through several methods. TSA officials stated
that they typically notify the Federal Security Directors (FSDs), who
are responsible for overseeing the implementation of air cargo security
requirements at airports nationwide, of the most updated threat
information related to aviation security, to include the security of
air cargo.[Footnote 39] In turn, the FSDs and responsible field office
staff notify stakeholders, including passenger and all-cargo carriers,
of threat-related information in person or via electronic mail or
telephone. For example, at one airport we visited, TSA and the law
enforcement community hold a monthly meeting in which both classified
and nonclassified information on threat-related information is
exchanged among the participants. In addition, updated threat
information can also be relayed to industry stakeholders, such as air
carrier security managers, via information circulars, emergency
amendments, and security directives issued by TSA, which typically
contain new security requirements or other prescribed actions to take
to mitigate the identified threats. In recognition that some industry
stakeholders with a need to know, such as indirect air carriers, may
not be receiving air cargo security threat information, TSA is
proposing through its air cargo security rule to implement measures
allowing for indirect air carrier personnel to receive such
information. Specifically, this proposal would require indirect air
carriers to designate a security coordinator at the corporate level who
would be responsible for implementing security programs and serve as
the point of contact for communications with TSA.
Air cargo stakeholders we spoke with, including air carrier officials,
expressed various views on the quality of the air cargo threat
information they received from TSA. An official from one of the seven
air carriers we interviewed stated that the threat information provided
by TSA was adequate, while officials from two other carriers stated
that the information lacked specificity about the locations, targets,
and assets being threatened, and was not communicated directly to all
cargo industry stakeholders who may have a need to know such
information, such as indirect air carrier personnel and airline pilots.
Officials from these two carriers stated that in the absence of quality
TSA threat information, they have taken independent steps to compile
and analyze potential air cargo threat information and use this
information as a basis to make informed decisions on whether additional
air cargo security measures are warranted. For example, officials from
one of the two carriers stated that the all-cargo carrier had assigned
a full-time staff person to perform daily reviews and analyses of
government and publicly available information to identify potential
threats to its air cargo personnel, aircraft, and operations resulting
from reports of civil unrest, political instability, the high presence
of extremists and terrorist groups, and anti-United States sentiment in
foreign countries. These officials stated that this information is
communicated to corporate managers to facilitate operational decisions,
which could include increased security measures. Officials from the
remaining four air carriers did not comment on the quality of threat
information provided by TSA.
As we have previously reported, dissemination of timely, specific, and
actionable threat information is a key element of effective risk
communication. Our prior work on aviation security has also shown that
TSA faces challenges in ensuring that threat information is effectively
communicated to relevant stakeholders because intelligence information
can be general.[Footnote 40] In November 2004, we reported that
applying risk communication principles that focus on relaying to the
extent possible, only timely, specific, and actionable information
could provide organizations like TSA with the best opportunity to
achieve the desired result of effectively communicating with
stakeholders.[Footnote 41]
We discussed the issues raised by industry stakeholders with TSA
officials, who stated that that the agency is a consumer of
intelligence and a disseminator of related-threat information to
stakeholders and thus can only provide stakeholders with information it
receives. In addition, intelligence information may be classified or
sensitive, thus limiting with whom it can be shared.[Footnote 42]
Specifically, TSA's TSIS receives information from the United States
intelligence and federal law enforcement communities. For example, the
FBI shares intelligence information and maintains daily contact with
TSA through its liaison responsible for civil aviation. TSA also
participates in the FBI's Joint Terrorism Task Forces in some FBI field
office locations. Upon receipt of threat information, TSIS reviews the
information for its applicability to the transportation sector.
According to TSA officials, on the basis of the credibility of the
information, the agency may obtain an unclassified version of threat-
related intelligence so that it may be disseminated to TSA field office
officials and stakeholders.
TSA Has Not Completed a Methodology or Established a Schedule for
Conducting Assessments of Air Cargo Vulnerabilities and Critical
Assets:
TSA has not yet completed a methodology or established a schedule for
completing a post-September 11 assessment of air cargo vulnerabilities
to identify the range of security weaknesses that could be exploited by
terrorists or an assessment of critical assets that need to be
protected. TSA is in the early stages of developing a methodology for
conducting a post-September 11 assessment of air cargo security
vulnerabilities. However, according to officials, limited resources and
competing priorities have delayed agency efforts to conduct such an
assessment.[Footnote 43] TSA officials stated that after completing its
vulnerability assessments and analyzing the results, the agency may
propose measures to address identified vulnerabilities. TSA also has
not yet developed a methodology for conducting criticality assessments
of air cargo assets. TSA officials stated that they anticipate
conducting three air cargo vulnerability assessments beginning in June
2005 at locations yet to be determined and will decide whether
additional assessments are needed based on the results of these initial
assessments. However, TSA has not established a schedule for when it
would complete these vulnerability assessments, nor has it established
a schedule for completing criticality assessments. TSA officials stated
that the agency will use vulnerability assessment tools such as the
agency's Transportation Risk Assessment and Vulnerability Evaluation
tool and Web-based Vulnerability Identification Self-Assessment Tool
for conducting its vulnerability assessments of the air cargo
system.[Footnote 44] However, as of September 2005, these tools have
not been modified for use in conducting such assessments. Further, TSA
officials did not establish a schedule for when these tools would be
ready for use, thus raising concerns whether TSA will have the
necessary tools available to begin conducting its vulnerability
assessments.
According to TSA's Air Cargo Strategic Plan, the agency's plans for
enhancing air cargo security considered air cargo system
vulnerabilities identified by GAO, the Department of Transportation's
Inspector General, and the Federal Aviation Administration. For
example, in October 2001, the Federal Aviation Administration conducted
an assessment of air cargo security that focused on the pathways by
which a terrorist may introduce an improvised explosive device into the
cargo hold of a passenger aircraft. Some air cargo vulnerability
scenarios, however, were not addressed. Other air cargo vulnerabilities
identified relate to the adequacy of background investigations for all
persons handling cargo, possible tampering with cargo during transport,
and the illegal shipment of hazardous materials. We and others have
also reported that the amount of cargo theft that occurs in these
locations, which is estimated to range into the billions of dollars
annually, indicates potential weakness in security, including air cargo
security.[Footnote 45] Recent news reports of air cargo workers
stealing goods from all-cargo aircraft intended for United States
military personnel further illustrates this concern.
Various sources have highlighted the importance of TSA's efforts to
assess air cargo vulnerabilities. Specifically, TSA officials have
acknowledged the need to conduct a post-September 11 vulnerability
assessment to both validate existing vulnerabilities in the air cargo
security system and identify new ones.[Footnote 46] In addition, air
carrier representatives we spoke with said that a TSA-led vulnerability
assessment would facilitate their efforts to comprehensively document
air cargo security weaknesses and develop measures that would
effectively mitigate the identified weaknesses. These air carrier
representatives added that TSA's assessment process should also be
ongoing and repeated as needed to reflect major changes in the air
cargo threat environment. In addition, in December 2003, the President
issued a directive calling for assessments of the vulnerability of
critical infrastructure to assist in developing the nation's homeland
security strategy.[Footnote 47] TSA has also taken the departmental
lead in developing a National Strategy for Transportation Security, for
which air cargo vulnerability assessments may provide critical
information.[Footnote 48]
Data on air cargo security breaches could also provide useful
information to identify the full range of potential air cargo security
vulnerabilities by exposing weaknesses in air cargo security procedures
that would otherwise not be detected. However, TSA has not defined what
constitutes a breach of air cargo security, even though it has defined
breaches of security in other areas of aviation security, such as
passenger and airport access controls.[Footnote 49] Specifically, TSA
officials stated that the agency has not yet determined the difference
between a security breach and a violation of air cargo security
requirements identified through its regulatory oversight of air
carriers and indirect air carriers. In our discussions with TSA
officials, TSA agreed that an air cargo security breach could consist
of an event that exposes vulnerabilities in air cargo security
procedures that would not necessarily be detected during a TSA
compliance inspection. TSA officials acknowledged that such events
could include instances of human stowaways in aircraft cargo holds, an
event for which TSA issued security directives calling for random
inspection of cargo on all-cargo aircraft to deter and detect future
occurrences. Although TSA officials agreed that data on air cargo
security breaches could provide useful information to identify
potential security weaknesses, the agency does not have plans to define
what constitutes a breach of air cargo security or compile information
on these breaches.
In addition to lacking some data on air cargo vulnerabilities, TSA has
not developed a methodology or schedule for completing assessments to
identify those air cargo assets deemed most critical to protect. Air
cargo assets could include workers, facilities, aircraft, and airports
in heavily populated areas, among other things. According to TSA
officials, the agency is still in the process of determining the
methodology it will use to conduct criticality assessments of air cargo
assets, as well as the criteria for identifying such assets. The
criteria could include factors such as the number of fatalities that
could occur during an attack on an airport cargo facility or the
economic and political importance of the cargo facility. TSA officials
stated that the agency's efforts to identify critical air cargo assets
have been delayed because of limited resources and competing aviation
security priorities. To facilitate the development of a methodology for
identifying critical air cargo assets, such as indirect air carriers
and their facilities, TSA officials stated that the agency planned to
contract with the National Safe Skies Alliance to compile business and
location information on the nation's entire population of indirect air
carriers, and to map out in detail the various ways cargo can flow
through the supply chain.[Footnote 50] However, TSA officials stated
that they decided not to fund this effort because of its cost.
According to TSA officials, the agency plans to capture information on
the entire population of indirect air carriers and the location of
their facilities through its centralized indirect air carrier database,
which was deployed in May 2005. TSA officials stated that this database
will provide the agency with more detailed information on these
critical assets.
The need for an assessment of critical transportation infrastructure,
which could include the nation's air cargo transportation system, has
been identified by various sources. For example, the 9/11 Commission
reported that the United States government should identify and evaluate
the transportation assets that need to be protected, set risk-based
priorities for defending them, select the most practical and cost-
effective ways of doing so, and develop a plan, budget, and funding to
implement the effort. Moreover, DHS's 2005 Interim National
Infrastructure Protection Plan highlights the need for criticality
assessments of transportation infrastructure, beginning with the
identification of critical or key assets. TSA officials acknowledged
that completed criticality assessments could better enable the agency
to prioritize its efforts by focusing on high-priority or high-value
air cargo assets, and by targeting resources to cost-effectively
address the most critical air cargo security risks. Moreover,
criticality assessments could provide the basis for taking immediate
protective actions depending on the threat environment and the need, as
well as future agency decisions related to securing the air cargo
supply chain.
In the absence of completed vulnerability and criticality assessments,
TSA officials stated they are using available threat intelligence,
expert judgment, and information about past terrorist incidents to
select and prioritize their efforts to address air cargo security
needs, including determining where to place TSA's cadre of 200
dedicated air cargo inspectors. For example, TSA officials said that in
2004, the agency allocated the first 100 of its 200 dedicated air cargo
inspectors to airports with the highest volume of air cargo. Officials
also stated that other factors considered in determining the allocation
of inspectors included whether the airport was considered high-risk
because of its geographic location, and the number of air carriers and
indirect air carriers operating at that airport, as well as other
airport-specific issues. TSA officials stated that the agency will
continue to use such rationales in determining where to allocate its
remaining dedicated air cargo inspectors until criticality assessments
are completed.
TSA Has Implemented Actions Intended to Strengthen Air Cargo Security,
but Factors Exist That May Limit Their Effectiveness:
TSA has implemented a variety of actions intended to strengthen the
security of air cargo as it works to fully implement a risk management
approach for securing air cargo. Specifically, these measures focus on
four areas: (1) improving the screening and inspection of air cargo,
(2) strengthening the physical security of aircraft and cargo operation
areas, (3) conducting security checks on cockpit crew members, and (4)
verifying and validating the identity of indirect air carriers.
However, factors exist that may limit the effectiveness of these
measures. For example, the information in TSA's database on known
shippers is incomplete because participation is voluntary, and the
information in the database may not be reliable. In addition,
exemptions in TSA's random cargo inspection requirements may leave the
air cargo system vulnerable to terrorist attack. Further, TSA has not
developed performance measures to determine to what extent air carriers
and indirect air carriers are complying with air cargo security
requirements, analyzed the results of inspections to systematically
target future inspections on those entities that pose a higher security
risk to the domestic air cargo system, or assessed the effectiveness of
its enforcement actions in ensuring air carrier and indirect air
carrier compliance with air cargo security requirements.
TSA Has Implemented Various Actions Aimed at Strengthening Air Cargo
Security:
Prior to the events of September 11, the Federal Aviation
Administration was responsible for overseeing the security of domestic
air cargo. Security regulations and rules in place at that time focused
on preventing the introduction and transport of any unauthorized
explosive or incendiary via cargo aboard passenger aircraft and
included requirements related to the acceptance, handling, and
inspection of cargo, and access to cargo areas and aircraft, among
other things. Since its establishment in November 2001, TSA has
implemented additional actions intended to strengthen domestic air
cargo security, several of which built upon preexisting requirements.
According to TSA, the new actions were implemented in the aftermath of
the terrorist attacks on September 11, to address general threats to
the nation's aviation transportation system, specific threats to air
cargo, and incidences of exploited vulnerabilities in existing air
cargo security programs and requirements. Specifically, these actions
focus on four areas: (1) improving the screening of air cargo,
including prohibiting shipments from unknown shippers on passenger
aircraft, and requiring air carriers to perform random cargo
inspections for weapons, explosives, and stowaways; (2) strengthening
the physical security of aircraft and cargo operation areas, including
controlling access around aircraft; (3) conducting security checks on
cockpit crew members, among others, consisting of checks against TSA no-
fly and selectee lists, and other terrorist-related law enforcement or
intelligence databases; and (4) verifying the identity of indirect air
carriers to identify entities potentially posing a security risk.
According to TSA officials, while some of these actions, such as random
cargo inspections, are designed to serve as interim measures until a
more comprehensive risk management approach to air cargo security can
be implemented, others, such as the centralized Known Shipper database
and system to verify indirect air carriers, will be used to support
their planned risk management approach.[Footnote 51]
TSA has implemented requirements for conducting security checks on
cockpit crew members for both passenger and all-cargo aircraft. This
requirement was implemented to ensure that individuals who pose a
potential terrorist threat are not permitted to board or access an
aircraft. In addition, TSA implemented an automated system to recertify
indirect air carriers, and took steps to verify the accuracy of
information for each indirect air carrier to identify entities posing a
security risk.[Footnote 52] TSA took these steps in recognition that
indirect air carriers could pose a potentially serious vulnerability in
the air cargo transportation system and because the historic paper-
based process for certifying indirect air carriers was time-consuming
and cumbersome.[Footnote 53] Specifically, in May 2004, TSA began
operating a Web-based system that allowed indirect air carriers the
option of electronically submitting information to revalidate their
status in lieu of submitting paper renewal forms. The system also
informs indirect air carriers via e-mail when their certification is
due to expire. According to TSA officials, in May 2005, the agency
allowed indirect air carriers to submit initial certification
applications on-line. TSA's proposed air cargo security rule would
require indirect air carriers to use the agency's automated system to
obtain initial indirect air carrier certification and to apply for
recertification.
Air cargo industry stakeholders have also independently taken measures
to enhance air cargo security. However, several officials representing
air carriers and indirect air carriers we spoke to stated that they
were generally reluctant to invest resources on implementing security
measures beyond those required by TSA. Specifically, these
representatives stated that they were waiting for TSA to finalize its
proposed air cargo security rule, due in mid-August 2005, before
spending funds on security measures that may differ from those that
would be required by TSA. As of September 2005, this rule has not been
issued. We did, however, identify some examples of air carriers and
indirect air carriers that have taken actions to address air cargo
security that went beyond implementing measures currently required by
TSA. Specifically, officials representing 8 of the 11 air carriers and
indirect air carriers we spoke with stated that they had implemented
security measures beyond those required by TSA. According to some of
the 8 air carrier and indirect air carrier officials, while some of
these actions focus on safeguarding cargo from theft, they also have
applicability to cargo security and mitigating terrorist threats. These
actions include inspecting a higher percentage of air cargo than
required by TSA and conducting recurring security training for air
cargo workers, among other things.[Footnote 54]
Known Shipper Program May Not Provide Adequate Assurance That Shippers
Are Trustworthy and That Air Cargo Transported on Passenger Aircraft Is
Secure:
ATSA requires the screening of all passengers and property, including
cargo, United States mail, and carry-on and checked baggage that is
brought aboard commercial passenger aircraft. TSA has primarily relied
on its Known Shipper program to ensure that cargo transported on
passenger air carriers is screened in accordance with this requirement.
[Footnote 55] The Known Shipper program allows individuals or
businesses with established histories to ship cargo on passenger
carriers.[Footnote 56] However, the Known Shipper program has
weaknesses and may not provide adequate assurance that shippers are
trustworthy and that air cargo transported on passenger air carriers is
secure.[Footnote 57]
As part of the Known Shipper program, in February 2004, TSA deployed a
voluntary centralized Known Shipper database designed to streamline the
process by which shippers are made known to carriers with whom they
conduct business.[Footnote 58] As of May 2005, TSA reported that the
database is being used by 89 air carriers and over 500 indirect air
carriers and contains information on approximately 400,000 known
shippers. Prior to the database being implemented, each air carrier and
indirect air carrier was responsible for maintaining its own
information on its known shippers. As a result, each carrier had to
repeat the process of making new shipping customers known when that
shipper was already known to another carrier. The centralized database
allows carriers and indirect air carriers to electronically ascertain
the status of shippers unknown to carriers and indirect air carriers.
Specifically, an electronic message is provided to the air carrier or
indirect air carrier indicating whether or not the shipper is a known
shipper. If the shipper is known, a unique shipper identification
number is electronically provided to the carrier, and the cargo can be
accepted from that shipper as known shipper cargo and shipped on a
passenger aircraft. TSA officials stated that these known shipper data
are automatically compared with the names of restricted entities. If
the shipper is a restricted entity, the carrier would receive a warning
against receiving shipments from that entity. Local TSA officials at
airports we visited and associations representing air carriers, law
enforcement, and pilots we spoke with stated that while the Known
Shipper program may provide some security benefit, it is by itself an
insufficient security safeguard and must be supplemented by other
security measures.[Footnote 59]
Following the terrorist acts of September 11, TSA issued security
directives which require that passenger air carriers only transport
cargo from shippers who meet certain eligibility criteria.[Footnote 60]
However, these requirements may not by themselves deter or prevent
terrorists from meeting the Known Shipper program's basic eligibility
criteria and thus becoming known shippers.[Footnote 61] According to
TSA officials, the new Known Shipper program requirements are one of
several layers of air cargo security--including random cargo
inspections conducted by air carriers, comparing information on cargo
cockpit members against terrorist watch lists, and securing access to
aircraft and cargo operation areas--aimed at deterring and preventing
terrorists from doing harm.[Footnote 62]
TSA currently estimates that the agency's centralized database contains
information on about 400,000 known shippers, or less than one-third of
the total population of known shippers, which TSA estimates at about
1.5 million known shippers.[Footnote 63] Moreover, we determined that
the information contained in the agency's database may not be
reliable.[Footnote 64] TSA is planning to address the problems
associated with the Known Shipper database by, among other things,
proposing that air carriers and indirect air carriers be required to
submit information on their known shippers into the database. According
to TSA officials, information in the Known Shipper database could be
used in a variety of ways to identify shippers who pose a risk to the
air cargo transportation system.[Footnote 65] For example, analyses of
known shipper data could include those already being conducted for
indirect air carriers.[Footnote 66]
TSA Implemented Random Air Cargo Inspection Requirements as an Interim
Security Measure, but Inspection Exemptions May Leave the Air Cargo
System Vulnerable to Terrorist Attack:
In November 2003, TSA required air carriers to conduct random
inspections of air cargo transported on passenger and all-cargo
aircraft.[Footnote 67] TSA officials stated that the agency views
random inspections as an interim security measure until a risk-based
approach that targets elevated risk cargo for inspection is
implemented. As previously noted, inspection refers to some level of
examination of cargo, which can include manual physical searches and
the use of nonintrusive technology to ensure that cargo does not
contain an improvised explosive device or stowaway. TSA established the
requirements for random inspection to address threats to the nation's
aviation transportation system and to reflect the agency's position
that inspecting 100 percent of air cargo was not technologically
feasible and was potentially disruptive to the flow of air commerce.
TSA officials stated that through these random inspection requirements,
the agency attempted to balance the need for increased security with
the need to allow for the flow of air commerce. TSA officials added
that the random nature of the inspections adds an additional layer of
security to the air cargo transportation system by inserting a level of
uncertainty into the inspection process, thus creating a deterrent
effect to terrorists.
As of May 2005, TSA required that passenger carriers randomly inspect a
specific percentage of nonexempt items, and that all-cargo carriers
randomly inspect a different percentage of nonexempt items.[Footnote
68] According to TSA officials, the agency issued an amendment to air
carriers' security programs on April 25, 2005, to triple the percentage
of cargo inspected on passenger aircraft to address a provision in the
fiscal year 2005 Department of Homeland Security Appropriations
Act.[Footnote 69] According to TSA officials, the increase in the
percentage of nonexempt cargo items inspected was to be phased in by
the end of July 2005. TSA officials stated that they chose to exempt
certain cargo from the requirement for random inspection because it did
not view the exempted cargo as posing a significant security
risk.[Footnote 70]
In an effort to address the threats identified for all-cargo aircraft,
TSA focused its inspection requirements for all-cargo air carriers on
specific areas that address known threats. Similarly, in an effort to
address the threats identified for passenger aircraft, TSA focused its
inspection requirements for passenger air carriers on items that could
potentially contain an explosive device. Four local TSA officials and
airport and air carrier officials we spoke with at airports we visited
stated that existing inspection exemptions could pose a potential
vulnerability to the air cargo security system. According to industry
stakeholders, including two air carriers and four local TSA officials
we spoke to, while the rationale for exempting certain types of cargo
from inspection is understandable, the exemptions may create potential
security risks and vulnerabilities.[Footnote 71]
Without examining the rationale of current air cargo inspection
exemptions in light of potential vulnerabilities associated with these
exemptions, TSA cannot be assured that increasing the percentage of
cargo inspected by air carriers, as required by recent legislation,
will enhance air cargo security. Airport, air carrier, and indirect air
carrier officials we interviewed agreed that the rationale for these
exemptions should be reviewed and potentially reconsidered in light of
the potential vulnerability associated with the exemptions. According
to TSA officials, the agency has no plans to revise its current
inspection exemptions for cargo transported on passenger air carriers.
Further, because of existing inspection exemptions for cargo
transported on passenger air carriers, a significant portion of this
cargo is not subject to physical inspection. Specifically, at 4 of the
12 airports we visited, we observed cargo being loaded and unloaded
onto both passenger and all-cargo aircraft. During these four visits, a
considerable amount of cargo we observed being loaded and unloaded was
exempt from inspection.[Footnote 72] While we did not directly observe
cargo inspections conducted by air carriers, we discussed the quality
of the inspections with air cargo industry stakeholders, including air
carriers. Officials from four air carriers we spoke with stated that
the quality and thoroughness of cargo inspections on passenger aircraft
varied.[Footnote 73] The quality of air cargo inspections is also the
subject of an ongoing Department of Homeland Security Inspector General
review.
TSA's Inspection Program May Not Be Effective in Ensuring Air Carrier
and Indirect Air Carrier Compliance with Air Cargo Security
Requirements:
As discussed previously, air carriers and indirect air carriers have
the primary responsibility for implementing domestic air cargo security
requirements, in contrast to the screening of passengers and baggage,
for which TSA has operational responsibility. For air cargo, TSA's role
is to ensure that air carriers and indirect air carriers are complying
with TSA security requirements. TSA determines industry compliance with
existing air cargo security requirements through regulatory audits or
inspections.[Footnote 74] Although the agency has significantly
increased the number of inspections it conducts, TSA has not (1)
developed performance measures to determine to what extent air carriers
and indirect air carriers are complying with air cargo security
requirements; (2) analyzed the results of inspections to systematically
target future inspections on those entities that pose a higher security
risk to the domestic air cargo system; or (3) assessed the
effectiveness of its enforcement actions in ensuring air carrier and
indirect air carrier compliance with air cargo security requirements.
TSA's Air Cargo Security Compliance Inspection Program:
TSA inspections can include reviews of documentation, interviews of
carrier personnel, direct observations of air cargo operations, and
testing by inspectors to determine whether air carriers and indirect
air carriers are in compliance with air cargo security requirements.
TSA's 950 inspectors are responsible for inspecting 285 passenger and
all-cargo air carriers with about 2,800 cargo facilities nationwide, as
well as 3,800 indirect air carriers with about 10,000 domestic
locations. Of TSA's 950 aviation security inspectors located at
airports throughout the United States, 750 are considered generalists
who conduct a variety of aviation security inspections, and 200 are
dedicated to conducting air cargo inspections.
Domestic passenger air carriers have 11 separate areas of cargo
security that are subject to inspection, while indirect air carriers
have 12 areas that are subject to inspection. All-cargo carriers that
have implemented the voluntary all-cargo security program have 24 areas
that are subject to inspection. These areas of inspection include
access to cargo, cargo acceptance, including cargo from known shippers,
and security training and testing. In TSA's Annual Inspection and
Assessment Plan for fiscal year 2004, the agency revised its approach
for ensuring compliance with air cargo security regulations by
increasing the number of inspections yet narrowing the focus.
Specifically, prior to fiscal year 2004, TSA's goals were to inspect
each air carrier and indirect air carrier once a year and cover all
aspects of air cargo security (known as comprehensive inspections).
Beginning in fiscal year 2004, TSA's new approach involved visiting air
carriers and indirect air carriers but inspecting only some of the air
cargo specific inspection areas (known as supplementary inspections).
According to TSA officials, the new inspection process uses risk
management principles that consider threat factors, local security
issues, and input from law enforcement to target key vulnerabilities
and critical assets. TSA added that the new process also takes into
account how to use the agency's limited inspection resources most
effectively. As a result, TSA's approach provides the local FSD at each
airport the responsibility for determining the scope and emphasis of
the inspections, as well as discretion for how to assign local
inspection staff. TSA provides local airport FSDs and inspectors with
goals for the number of inspections to be conducted per quarter. TSA's
Annual Inspection and Assessment Plan for fiscal year 2005 established
air cargo inspection goals.
TSA Has Not Developed Performance Measures to Determine an Acceptable
Level of Compliance with Air Cargo Security Requirements:
According to TSA officials, following the terrorist attacks of
September 11, the primary focus of inspectors was to monitor passenger
and baggage screening operations rather than to conduct air cargo
compliance inspections. Officials added that the agency was not able to
conduct a large number of inspections of air carriers and indirect air
carriers prior to January 2003 because of limited personnel assigned to
perform these tasks and agency decisions to direct these resources to
address other areas of aviation security. More recently, TSA has
focused on increasing the number of air cargo inspections. Our analysis
of TSA data shows that the number of inspections conducted in 2004 rose
over 10-fold from the number conducted in 2003. TSA officials stated
that several factors account for the increase in the number of
inspections, including the hiring, training, and deployment of
dedicated cargo inspectors, and a shift in the agency's focus from
conducting comprehensive inspections that cover all aspects of air
cargo security to supplemental inspections that cover only some of the
24 air cargo specific inspection areas.
TSA established an automated Performance and Results Information System
(PARIS) to compile the results of cargo inspections and the actions
taken when violations are identified.[Footnote 75] Our analysis of
PARIS inspection records shows that between January 1, 2003, and
January 31, 2005, TSA conducted 36,635 cargo inspections of air
carriers and indirect air carriers and found 4,343 violations.[Footnote
76] Figure 3 shows TSA's air cargo security compliance inspection
volumes by month, from January 1, 2003, to January 31, 2005.[Footnote
77]
Figure 3: TSA Air Cargo Security Compliance Inspection Results for the
Period between January 1, 2003, and January 31, 2005:
[See PDF for image]
This figure is a vertical bar graph depicting TSA Air Cargo Security
Compliance Inspection results for the period between January 1, 2003,
and January 31, 2005. The vertical axis of the graph represents number
of inspections from 0 to 3,500. The horizontal axis of the graph
represents months from January 2003 through January 2005.
Source: GAO analysis of TSA data.
[End of figure]
Although TSA has compiled information on the number of air cargo
security compliance inspections conducted and the number of violations
identified, the agency has not determined what constitutes an
acceptable level of performance or compared air carriers' and indirect
air carriers' performance against this standard. As previously noted,
TSA officials stated that the agency has developed performance goals
for the overall air cargo security program consistent with the
Government Performance and Results Act. The agency, however, has not
established performance measures to determine an acceptable level of
compliance by air carriers and indirect air carriers with air cargo
security requirements. Performance measures are indicators used to
gauge performance and are meant to address key aspects of performance
for a program and help decision makers assess program accomplishments
and improve program performance. Such measures are also called for by
our internal controls standards to enable agencies to compare and
analyze actual performance data against expected or planned goals.
Without such measures, TSA cannot assess the performance of individual
air carriers or indirect air carriers against national performance
averages or goals that would allow TSA to target inspections and other
actions on those that fall below acceptable levels of compliance.
According to TSA officials, the agency is currently working on
developing short-term and long-term outcome measures for air cargo
security, but they could not provide a timetable for when this effort
would be completed. In addition, TSA officials acknowledged that the
agency will need to compile sufficient data to determine the agency's
progress in meeting such measures. Until these measures are
established, TSA cannot readily determine how carriers' compliance
compares with a set standard of acceptable performance.
TSA Has Not Yet Analyzed the Results of Inspections to Systematically
Target Future Inspections Of Those Entities That Pose a Higher Security
Risk to the Domestic Air Cargo System:
TSA has taken initial steps to compile information on the results of
its compliance inspections of air carriers and indirect air carriers
and identify the most frequent types of violations found. For example,
from January 1, 2003, to January 31, 2005, TSA identified violations
committed by air carriers and indirect air carriers involving
noncompliance with air cargo security requirements in several areas,
including those TSA determined to be high-risk because they would pose
the greatest risk to the safety and security of air cargo operations.
Specifically, these violations covered areas such as cargo acceptance
procedures, access control to cargo facilities, and physical cargo
inspections. TSA identified indirect air carriers' failure to comply
with their own security programs as the area with the most violations.
According to TSA officials, the large number of violations by indirect
air carriers is due, in part, to their unfamiliarity with air cargo
security requirements. Figure 4 shows the top 10 violations found
during inspections of air carriers and indirect air carriers as
determined by TSA.[Footnote 78]
Figure 4: Top 10 Areas in Which Violations Were Found During Air Cargo
Inspections for the Period January 1, 2003, to January 31, 2005:
[See PDF for image]
This figure is a vertical bar graph depicting the top 10 areas in which
violations were found during air cargo inspections for the period
January 1, 2003, to January 31, 2005. The vertical axis of the graph
represents number of violations, from 0 to 600. The horizontal axis of
the graph represents the ten areas. The following data is depicted:
Violation Area: Adherence to indirect air carrier security program;
Number of Violations: 565.
Violation Area: Documentation of air cargo notification process:
Number of Violations: 399.
Violation Area: Other[A];
Number of Violations: 368.
Violation Area: Adherence to air carrier security program;
Number of Violations: 329.
Violation Area: Cargo accepted in accordance with security
requirements;
Number of Violations: 288.
Violation Area: Cargo inspection training provided to air cargo
workers;
Number of Violations: 285.
Violation Area: Cargo security training provided to workers;
Number of Violations: 239.
Violation Area: Properly controlling access to cargo;
Number of Violations: 212.
Violation Area: Adherence to air cargo security directives and
emergency amendments;
Number of Violations: 168.
Violation Area: Cargo inspected in accordance with security
requirements:
Number of Violations: 159.
Source: TSA.
[A] According to TSA officials, "other" includes information on
violations not specifically identified in the agency's PARIS database.
[End of figure]
While TSA has identified frequently occurring violations, it has not
yet determined the specific area of violation for a large number of
inspections completed from January 1, 2003, to January 31, 2005. For
example, TSA reported its third most frequent type of air cargo
security violations was "other." According to TSA officials, the
"other" category includes violations that could not be easily
categorized by one of the violation area fields listed in the agency's
PARIS database. Moreover, our analysis found 540 additional violations
for which no specific violation area was reported. When combined with
the "other" violations, these two violation areas account for about 21
percent of the total number of air cargo security violations identified
by TSA during this period.
In addition, TSA could not identify how many of its 36,635 inspections
covered each air cargo security requirement, including those in the top
10 violation areas identified in figure 4. As a result, TSA cannot
determine the compliance rate for each specific area inspected. For
example, TSA found 288 violations related to cargo acceptance
procedures but could not identify how many of its inspections examined
these procedures. Without complete information on the specific air
cargo security requirements that air carriers and indirect air carriers
violated, as well as the number of times each topic area was inspected,
TSA is limited in its ability to determine the compliance rates for
specific air cargo security requirements and effectively target future
inspections for air cargo security requirements that are most
frequently violated and the carriers and indirect air carriers that
violate them. In June 2005, TSA officials informed us that in the
future they intend to compile information on the number of instances in
which specific air cargo security requirements are inspected.
While TSA has compiled information on the results of its compliance
inspections, the agency has not yet systematically analyzed these
results to target future inspections on security requirements and
entities that pose a higher risk. Analyzing inspection results would be
consistent with our internal control standards calling for comparisons
of data to identify relationships that could form the basis for
corrective actions, if necessary.[Footnote 79] TSA officials and the
agency's fiscal year 2005 annual domestic inspection and assessment
plan identified the need for such analyses. According to TSA officials,
the agency has recently hired one staff person to begin analyzing
inspection data. In June 2005, TSA officials also stated that the
agency is working to revise its PARIS database to allow for more
accurate recording of inspection violations. However, the agency has
not systematically analyzed the results of its inspections to target
future inspections of those entities that pose an increased security
risk. Without an analysis of the results of its inspections, TSA has a
limited basis to determine how best to allocate its inspection
resources.
Analyzing key program performance data and using the results of this
analysis to effectively allocate resources are consistent with elements
of a risk management approach. Specifically, analyzing the results of
compliance inspection data could help focus limited inspection
resources on those entities posing a higher security risk. Such
targeting is important because TSA may not have adequate resources to
inspect all air carriers and indirect air carriers on a regular basis.
According to TSA inspection data for the period from January 1, 2003,
to January 31, 2005, compliance inspections identified a greater
incidence of violations by indirect air carriers than by air carriers.
Specifically, violations found in inspections of indirect air carriers
accounted for 72 percent of the total violations identified (3,116 out
of 4,343). In addition, the percentage of inspections of air carriers
that did not identify a violation of air cargo security requirements
was significantly higher than that for indirect air carriers.
Specifically, TSA found violations in over 40 percent in its domestic
indirect air carrier inspections during this period, while it found
violations in less than 10 percent of its domestic air carrier cargo
inspections. In addition, our analysis of TSA's compliance inspection
data from November 1, 2001, through September 30, 2004, determined that
the agency had conducted compliance inspections of about 83 percent of
the approximately 2,800 domestic air carrier stations, but for less
than half (49 percent) of the estimated 10,000 indirect air carrier
facilities nationwide during the same period.[Footnote 80]
According to TSA officials, the agency is taking steps to enhance its
ability to conduct compliance inspections of indirect air
carriers.[Footnote 81] Specifically, in May 2005, TSA established a
centralized database to capture information on indirect air carriers
and required each indirect air carrier to provide information on
corporate and satellite locations.[Footnote 82] The agency's ability to
inspect indirect air carrier compliance could also be affected by the
agency's proposed change in the definition of what constitutes an
indirect air carrier. According to TSA's proposed air cargo security
rule, the definition of indirect air carriers would be amended to
include not only those companies transporting goods on passenger
aircraft, but also those transporting goods via all-cargo aircraft.
This change in definition will increase the number of regulated
indirect air carriers TSA will be responsible for overseeing.
As part of its compliance inspection process, TSA recently began
implementing a testing program to identify air cargo security
weaknesses, referred to as special emphasis assessments.[Footnote 83]
On the basis of its review of compliance inspection results for the
period of January 2003 and January 2005, TSA identified 25 indirect air
carriers and 11 air carriers with a history of violations related to
air cargo security requirements. TSA officials stated that the agency
began conducting tests on these air carriers and indirect air carriers
in April 2005.[Footnote 84] TSA officials stated that the agency plans
to conduct additional tests. TSA officials further stated that the
agency has not yet determined how it will use the results of its
testing program to help interpret the results from its other compliance
inspection efforts. TSA has also not analyzed inspection results to
identify additional targets for future testing. Such analysis could
include focusing compliance testing efforts on air carriers and
indirect air carriers with a history of air cargo security violations
related to high risk areas.
TSA Has Not Yet Assessed the Effectiveness of Its Enforcement Actions
in Ensuring Air Carrier and Indirect Air Carrier Compliance with Air
Cargo Security Requirements:
According to TSA officials, the agency corrects minor violations of air
cargo security requirements collaboratively with air carriers and
indirect air carriers through on-site counseling and training. TSA
reserves the use of civil enforcement actions, which include
administration actions and civil monetary penalties, for the most
serious security risks identified during TSA inspections.
Administrative actions range from a warning notice suggesting
corrective steps to a letter of correction that requires the carrier to
take immediate action to avoid civil penalties. TSA is authorized to
issue civil monetary penalties when air carriers and indirect air
carriers fail to correct serious violations of air cargo security
requirements.[Footnote 85]
TSA officials stated that the majority of air cargo security violations
identified from January 1, 2003, to January 31, 2005, were addressed
through on-site counseling and training. Specifically, of the 4,343 air
cargo security violations identified during this period, TSA resolved
almost 60 percent (2,590) through on-site counseling and training. TSA
enforcement action data covering this period, however, did not specify
the actions the agency took in resolving approximately 1,600 (about 35
percent) of the 4,343 air cargo security violations.[Footnote 86] TSA
also recommended civil penalties for 185 violations, of which 11 were
issued and 15 were resolved through administrative actions or no
action. Enforcement actions on the remaining 159 violations are still
pending.[Footnote 87]
According to TSA officials, the agency has not assessed the
effectiveness of its enforcement actions, including on-site counseling
and civil penalties, in ensuring air carrier and indirect air carrier
compliance with air cargo security requirements. Our reviews of agency
compliance inspection programs have cited the need for evaluations of
enforcement activities and have noted the effectiveness of using
sanctions such as civil penalties to increase compliance.[Footnote 88]
Moreover, ATSA requires TSA to conduct ongoing assessments of the
effectiveness of penalties in ensuring airport compliance with security
procedures. Without assessing the effectiveness of its enforcement
actions, TSA cannot be assured that its current cooperative approach to
addressing issues of noncompliance is resulting in increasing carrier
compliance with air cargo security requirements.
TSA Plans to Enhance Air Cargo Security, but Implementing These Plans
Poses Challenges to the Agency and Air Cargo Stakeholders:
TSA has developed plans aimed at enhancing air cargo security, but the
agency and industry face challenges in effectively implementing these
plans. Specifically, TSA is developing a system to target elevated risk
air cargo for inspection that would minimize the agency's reliance on
random inspections. This system would compare information on individual
air cargo shipments as well as information from the Known Shipper,
indirect air carrier, and PARIS databases against targeting criteria to
assign a risk level to cargo. Cargo identified as posing an elevated
risk would then be subject to additional inspection by air carrier
personnel through physical searches or other nonintrusive means.
Elevated risk cargo could include cargo that has been determined to
pose a risk to the safety and security of passengers and air cargo
operations. Although the agency acknowledges that the successful
development of the targeting system is contingent upon having complete
and accurate targeting information in a timely manner, the agency has
not yet completed efforts to ensure that these data are complete,
accurate, and current. Moreover, the agency has not yet determined the
criteria that will be used to identify elevated risk cargo. TSA plans
to pilot-test this targeting system beginning in early 2006 and phase
in deployment of the system during calendar years 2006 and 2007.
[Footnote 89] TSA is also testing and developing technologies to assess
their applicability to air cargo--a key component of the agency's Air
Cargo Strategic Plan. According to TSA officials, the results of its
technology tests will need to be analyzed before the agency determines
which technologies will be certified for inspecting cargo, and whether
it will require air carriers to use such technology. Further, TSA's
proposed air cargo security rule would require air carriers and
indirect air carriers to (1) include all known shippers in a
centralized database, (2) secure air cargo facilities, and (3) conduct
security checks on air cargo workers. A number of industry
stakeholders, including passenger and all-cargo carriers that commented
on the proposed rule, stated that TSA underestimated the costs
associated with implementing the proposed measures and that some of
these proposals may be difficult to implement. Our analysis of TSA's
proposed air cargo security rule cost estimate, $637 million (in
discounted 2003 dollars) over a 10-year period, identified concerns
with the agency's methodology for calculating the cost estimate and
suggests that TSA's cost figure may have been underestimated. According
to TSA officials, the agency plans to reassess its cost estimates
before issuing its final air cargo security rule.
TSA Is Working to Develop a System to Target Elevated Risk Cargo, but
Has Not Yet Ensured That Data to Be Used to Target Cargo Are Complete,
Accurate, and Current:
According to TSA officials, the agency decided to develop a system to
target elevated risk cargo after concluding that physically inspecting
100 percent of the cargo boarded onto passenger aircraft was not
feasible using currently available technology without significantly
impeding the flow of commerce. Specifically, TSA officials stated that
currently available technology does not have the capability to inspect
various types and sizes of cargo in a timely manner and that the cost
associated with inspecting 100 percent of air cargo could be
significant. A Federal Aviation Administration analysis conducted in
2001 determined that only a small portion of the nation's air cargo
could be inspected effectively or efficiently with available
technology, for similar reasons. In its analysis, the Federal Aviation
Administration estimated that 8,000 federal screeners and $500 million
(in the first year) would be required to implement a federally managed
cargo inspection program for passenger aircraft. Further, in June 2002,
TSA estimated that it would cost air carriers and the federal
government up to $3.61 billion (in discounted 2001 dollars) over 10
years to physically inspect all cargo placed in the cargo hold of
commercial passenger aircraft, primarily because of the expense
associated with inspection equipment and personnel costs. Moreover,
according to TSA, delays associated with inspecting 100 percent of
cargo would significantly affect the air cargo operations on passenger
carriers by potentially delaying cargo delivery schedules. Delays
associated with cargo inspection could also affect cargo shippers who
may be required by air carriers to deliver cargo sooner so it can be
properly inspected before being loaded onto aircraft. In addition, air
cargo stakeholders contend that additional security costs related to
100 percent cargo inspection could adversely affect the financial
status of air carriers.
TSA is in the early stages of developing a system to target elevated
risk cargo for additional scrutiny, including physical inspection
through manual searches and the use of nonintrusive inspection
technologies. TSA officials anticipate that the agency's targeting
system, referred to as Freight Assessment, will minimize the reliance
on the random physical inspections currently conducted by air carriers.
TSA officials stated that the development of the Freight Assessment
System will also help the agency to address one of its key objectives
in the agency's Air Cargo Strategic Plan--identifying elevated risk
cargo. TSA's planned Freight Assessment System would use information
maintained in the agency's Known Shipper, indirect air carrier, and
PARIS databases to target elevated risk cargo for inspection. Cargo
that is identified by the Freight Assessment System as posing an
elevated risk will then be physically inspected either through the use
of inspection technology or other methods.[Footnote 90]
According to agency plans, air carriers would receive targeting
information from TSA on specific cargo items identified as posing an
elevated risk. Upon notification by TSA's Freight Assessment System,
carrier personnel would be responsible for conducting the inspection of
cargo identified as elevated risk. Thus, cargo inspection would
continue to differ from current passenger and baggage inspection in
that cargo inspection would be performed by the employees of air
carriers, rather than by a federal workforce. Air carrier and indirect
air carrier officials we spoke with have raised concerns about their
role in cargo inspection and have questioned the skill level and
adequacy of inspection training provided to air carrier employees.
TSA and CBP officials stated that they had agreed to jointly develop
and deploy the Freight Assessment System and the rules that would be
used to identify elevated risk cargo for inspection. TSA officials
stated that the goal of this interagency coordination is to minimize
the cost of the Freight Assessment System's development by leveraging
existing DHS capabilities, and reduce the administrative burden on the
air cargo industry by not requiring stakeholders to submit the same
data to multiple government agencies. CBP is responsible for preventing
terrorists and terrorist weapons from entering the United States. To
target elevated risk international cargo, CBP systems store data on
international cargo shipments, assign a risk score to a specific cargo
shipment, and update stored information with the latest risk scoring
for specific shipments.[Footnote 91] In addition, all commercial air
carriers transporting international cargo must now transmit specific
cargo information to CBP through an automated system.[Footnote 92] This
cargo information is screened to identify elevated risk cargo based on
certain criteria. Upon arrival in the United States, cargo that is
deemed as posing an elevated risk is to be inspected either physically
or with nonintrusive inspection technology by CBP inspectors.
According to TSA and CBP officials, most of the components needed for
TSA's Freight Assessment System already exist within CBP. To use these
components, however, TSA will need to further develop its air cargo
databases to identify and target elevated risk air cargo and develop
the criteria and rules necessary to assign a risk score to domestic air
cargo shipment. TSA's databases will also need to be linked to the
systems housed within CBP. According to TSA officials, the preliminary
design phase of the Freight Assessment System, incorporating components
already existing within CBP, was completed on April 12, 2005.[Footnote
93]
In addition to collaborating with CBP, TSA has worked with the air
cargo industry to develop the overall design of the Freight Assessment
System. For example, in September 2004, the Aviation Security Advisory
Committee created an industry working group to advise TSA on the
development of a Freight Assessment System. On April 28, 2005, the
working group presented the Aviation Security Advisory Committee with
four recommendations to be formally provided to TSA. The working group
recommended (1) extending the life of the working group to enable the
industry to have adequate input into the Freight Assessment System
process as it evolves over time; (2) designing the Freight Assessment
System to include processes for sharing threat information; (3)
establishing a pilot program to determine whether the proper system
elements are in place, and whether the communication between government
and industry allows for the inspection of elevated risk cargo without
disrupting the air cargo supply chain; and (4) obtaining public comment
on the proposed Freight Assessment System through a notice of public
rule making, and implementing the system through amendments to each
regulated party's security program. During the April 28, 2005, meeting,
the Freight Assessment System working group members noted that in
addition to the targeting and physical inspection of elevated risk air
cargo, random physical inspection should continue as an additional
layer of security and stressed that once elevated risk air cargo is
identified, inspection of such cargo should be performed by TSA
employees. TSA officials stated that they would consider the working
group's recommendations and that most of the group's recommendations
have been accepted and incorporated into the Freight Assessment System
design. In addition, TSA officials agreed to continue the life of the
Freight Assessment System working group to extend through the
implementation of the pilot. TSA further requested that once the pilot
program was complete, the working group draft additional
recommendations on the implementation of the system. According to TSA
officials, however, the agency does not plan to use TSA employees to
inspect air cargo because of the cost associated with using federal
screeners and because the number of full-time equivalent screeners is
capped at 45,000.
TSA officials anticipate pilot-testing the Freight Assessment System in
early 2006. According to TSA officials, two airlines and five indirect
air carriers have agreed to participate in the pilot test. TSA
officials expect to expand the pilot test to include cargo transported
on all-cargo carriers but have yet to make a final determination on
when the agency will expand the pilot. TSA officials also plan to phase
in implementation and deployment of the targeting system for cargo
transported on passenger carriers during calendar years 2006 and 2007.
Until such time, TSA officials stated that the agency will rely on the
Known Shipper program and random inspection requirements as the primary
means for screening and inspecting air cargo.
Although TSA has identified data elements that could be used in its
Freight Assessment System, the agency has not yet ensured that these
data are complete, accurate, and current. TSA acknowledges that the
successful development of the targeting system is contingent upon
having complete and accurate information on shippers and cargo
shipments, among other things. However, as we have previously noted,
there are problems with the information contained in the TSA Known
Shipper database and how TSA uses this information to identify shippers
who may pose a risk. TSA plans to make the Known Shipper database
mandatory, allowing the agency to compile and verify information on the
entire population of known shippers and take other actions to identify
high-risk shippers. In December 2004, TSA contracted for a study to
review the information contained in the Known Shipper database.
However, as of June 2005, the study has not yet been completed. TSA
officials stated that they intend to conduct a follow-on study to
examine how to use known shipper data as part of the Freight Assessment
System once privacy issues are addressed. Further, while TSA plans to
use the results of its compliance inspection program to help target
elevated risk cargo, the agency has not yet fully analyzed its
compliance inspection results data or required air carriers to provide
data of their inspection activities. In addition, TSA does not
currently require carriers to submit information on individual domestic
cargo shipments, as is done by CBP for international shipments in
transit to the United States. TSA anticipates requiring domestic air
carriers to submit such information under the proposed Freight
Assessment System.
Complete and accurate shipment and compliance inspection information is
essential for the development of an effective system to target elevated
risk cargo. Further, as we have recently reported, efforts to target
elevated cargo will only be as good as the data used to conduct such
targeting.[Footnote 94] Specifically, we reported on limitations
associated with the information used by CBP in targeting oceangoing
cargo. CBP uses manifest information as one of several data sources to
assess the risk level of United States-bound shipments, but our review
identified problems with this information.[Footnote 95] We found that
without complete and accurate information on shipments, it is difficult
for CBP's Automated Targeting System to accurately assess the risk of
shipments and to conduct thorough targeting.[Footnote 96] Similarly,
TSA plans to develop a system to target elevated risk domestic air
cargo based on the use of information from existing agency databases,
as well as information contained in air carrier's cargo airway bills.
The limitations we identified with CBP's efforts highlight the need for
TSA to evaluate the accuracy and reliability of information it plans on
using to target elevated risk domestic air cargo. Without quality
information, TSA's ability to effectively target cargo for inspection
will be limited, regardless of the system being used. According to TSA
officials, the agency is working to address issues of quality and
availability for both industry-provided data and data from government
sources. TSA anticipates using the results of this analysis as well as
the results of its Freight Assessment pilot, which is currently
scheduled for early 2006, to adjust the information that will be used
to identify elevated risk cargo.
Finally, TSA is still deliberating on the criteria it will use to
define elevated risk cargo during the pilot test of its Freight
Assessment System. While TSA is considering various factors for
determining an air cargo shipment's risk, the agency has not yet
determined whether these or other criteria will be used to define
elevated risk cargo. According to TSA officials, the Freight Assessment
System has been designed to accommodate changes in targeting criteria
to identify elevated risk cargo. Establishing clear criteria for
identifying elevated risk cargo will be essential for the development,
testing, and implementation of an effective system to target such cargo
for further inspection.
TSA Is Testing Inspection Technologies to Determine Their Applicability
to Air Cargo:
TSA is currently developing and testing technologies to assess their
applicability to the inspection of air cargo. According to TSA
officials, the agency will determine whether it will certify or require
the use of air cargo inspection technologies once the agency has
completed its assessments of various technologies and the results have
been analyzed. Testing and developing technology is also one of TSA's
key objectives in the agency's strategic plan for enhancing air cargo
security and is also a key component of TSA's plans to inspect elevated
risk cargo. Recognizing the importance of researching and developing
inspection technology, TSA obligated about $700,000 in fiscal year 2003
and was directed by the conference report for the DHS's fiscal year
2004 appropriations act to spend $55 million for air cargo security
research and development activities. The fiscal year 2005 Department of
Homeland Security Appropriations Act also directed the Secretary of
Homeland Security to research, develop, and procure certified systems
to inspect and screen air cargo on passenger aircraft at the earliest
date possible.[Footnote 97] To accomplish this, the accompanying
conference report directed TSA to spend an additional $75 million to
research and develop air cargo security technologies.[Footnote 98]
TSA is currently developing performance criteria for technology to
inspect air cargo and considering whether to establish a certification
standard for such technology. At present, TSA is not required to
certify technology for air cargo inspection. Until such technology is
certified, TSA officials stated that the agency will continue to allow
air carriers to use the technologies and methods described in the air
carrier standard security program and TSA security directives. These
technologies and methods include manual physical searches, X-ray
systems, explosive trace detection (ETD) equipment, explosive detection
systems, TSA-certified explosives detection canine teams, and
decompression chambers, among other methods.[Footnote 99] TSA security
programs contain procedures and training requirements for air carrier
personnel when using X-ray systems or performing manual searches of air
cargo. TSA also established protocols for air carriers to follow when
using ETD equipment to inspect air cargo. These protocols include
testing procedures, operating instructions, alarm resolution guidance,
and training requirements.
TSA has recently completed a pilot program focused on testing the
applicability of EDS technology to inspect individual pieces of air
cargo, referred to as break bulk cargo.[Footnote 100] According to TSA
officials, the agency decided to test EDS's applicability for
inspecting air cargo, in part because this technology is already used
to inspect checked baggage. EDS pilot-testing criteria included
detection rates, false alarm rates, and throughput rates.[Footnote 101]
Although EDS is currently an approved method for inspecting air cargo,
it had not been tested by TSA to determine its effectiveness in
inspecting air cargo. According to TSA officials, EDS was approved by
the Federal Aviation Administration for inspecting air cargo, but TSA
still needs to review the results of its EDS pilot test before the
agency will determine whether to certify EDS for inspecting air cargo.
Although TSA has not yet finalized its evaluation of the results of the
EDS pilot, agency officials stated that preliminary data suggest that
EDS technology is well suited to inspect break bulk cargo under a range
of environmental and climactic conditions, but limitations exist with
using such technology. TSA has not yet established time frames,
however, for when the agency will decide whether or not to certify EDS
technology for air cargo or require air carriers to use this technology
to inspect air cargo. For a description of TSA's evaluation of EDS
technology, see appendix V.
TSA also recently completed an operational test and evaluation to
determine the applicability of explosives detection canine teams to
inspect air cargo. There are currently 370 TSA-certified explosives
detection canine teams authorized and 333 assigned for use in
inspecting passengers' checked baggage. According to TSA, the agency
chose to test the effectiveness of TSA-certified explosives detection
canine teams in inspecting air cargo in part because these teams are
already used as part of the agency's multifaceted approach to airport
security. As with EDS technology, existing TSA security programs allow
air carriers to use canines for inspecting air cargo. According to TSA
officials, the agency, however, has not yet certified the use of
canines for inspecting air cargo. TSA officials stated that the canine
operational test and evaluation was designed to determine the
effectiveness of canine detection teams in the air cargo environment.
Although TSA has not fully evaluated the results of the pilot tests,
according to TSA, the data suggest that even without prior training,
the canine teams performed effectively in inspecting various types of
cargo. They added that the results of these tests will be used to
determine whether canines will be certified for inspecting air cargo.
TSA has not yet established time frames, however, for when such
decisions will be made. For a description of the recently completed TSA
canine pilot program, see appendix VI.
TSA is also testing other forms of currently available cargo inspection
technologies, as well as identifying and developing new and emerging
technologies. In February 2004, for example, TSA solicited information
from vendors on new and emerging technology concepts for inspecting
cargo containers and United States mail. According to TSA officials,
the agency is pursuing multiple technologies that will automate the
detection of explosives in the types and quantities that will cause
catastrophic damage to an aircraft in flight. On the basis of responses
to its solicitation, TSA identified nine technologies to finance for
further development and testing. According to TSA, the technologies
selected will go through four phases of development: (1) a preliminary
design phase, consisting of activities in which the concept of
operations will be clearly defined and the system components will be
clearly identified; (2) a critical design phase, consisting of further
definition of system design features and analysis of overall detection
and false alarm performance; (3) a system development phase, consisting
of the final design and fabrication of the system, including
developmental tests and evaluations; and (4) a prototype evaluation
phase, consisting of a series of laboratory tests using threats and
cargo to evaluate the detection and false alarm performance for a
variety of threat scenarios. TSA plans to develop working prototypes of
these technologies by September 2006 and complete operational testing
by 2008. TSA acknowledges that full development of these technologies
may take 5 to 7 years. For a description of the new and emerging
technologies selected by TSA for further development and testing, see
appendix VII.
TSA also has other efforts under way to develop and deploy technology
in the air cargo environment. For example, in January 2005, TSA
solicited information on technology systems that could be used to
inspect break bulk air cargo. According to TSA officials, the agency
will identify and evaluate commercial off-the-shelf systems that could
be used to inspect break bulk cargo. TSA plans to begin laboratory and
field tests of these technologies in the summer of 2005. In April 2005,
TSA issued another solicitation for information on air cargo inspection
technology. This solicitation specifically requested information on
explosives detection systems for inspection of cargo containers or
palletized air cargo and will cover the use of unit load devices placed
on passenger aircraft. According to TSA, the agency is currently
reviewing the responses to this solicitation.
In addition to cargo inspection technology, hardened cargo containers
are being considered as a means to mitigate the threat of an improvised
explosive device. The Federal Aviation Administration previously had a
research program on blast-resistant containers to examine their
effectiveness in containing the effects of an improvised explosive
device. Air carriers have raised concerns regarding the weight of these
containers and the potentially significant affect their use would have
on airlines by increasing fuel costs, reducing flight range, and
decreasing payload capacity for revenue-generating passengers and
cargo. Other challenges associated with deploying hardened cargo
containers include purchasing costs (which, according to TSA can range
from $20,000 to $40,000 per container), durability, and potentially
higher maintenance costs for hardened container materials. Although the
purchase, deployment, and use of such containers may prove to be
challenging, the Intelligence Reform and Terrorism Prevention Act of
2004 required that TSA begin to carry out a pilot program to evaluate
the use of blast-resistant containers for cargo and baggage on
passenger aircraft to minimize the potential effects of an explosive
device's detonation. The act authorized $2 million to conduct such a
pilot program. According to TSA officials, the agency is currently
conducting a pilot program with two airlines on the use of hardened
containers.
Finally, according to its Air Cargo Strategic Plan, TSA is also
considering whether the agency's Transportation Worker Identification
Credential (TWIC) Program would be beneficial to incorporate into the
air cargo environment.[Footnote 102] The TWIC Program is intended to
establish a uniform identification credential for 6 million workers who
require unescorted physical or cyber access to secured areas of
transportation facilities. The program is intended to combine standard
background checks and new and emerging biometric technology so that a
worker can be positively matched to his or her credential. As of June
2005, TSA had not yet determined whether the TWIC Program would be
incorporated as part of the agency's overall effort to enhance air
cargo security. We currently have an on-going review of the TWIC
Program.
According to TSA officials and air carrier and airport representatives,
the federal government and the air cargo industry face several
challenges that must be overcome to effectively implement technology to
inspect air cargo for explosives. These challenges include factors such
as the nature, type, and size of the cargo; environmental and climatic
conditions; inspection throughput rates; screener staffing and training
issues; the location of air cargo facilities (centralized versus
decentralized); cost and availability; and employee health and safety
concerns. For example, cargo weighing several tons may be too large to
be inspected by currently available technology. The heat and humidity
at certain airport locations may affect the functioning of inspection
technology. Furthermore, trained staff must be available to operate the
technology, and health and safety concerns such as worker exposure to
radiation must be addressed. We have also previously reported on the
need for TSA and DHS to better manage their research and development
programs to ensure effective use of technology research funds.
Specifically, we recommended that DHS and TSA implement a risk
management approach for their research and development programs.
[Footnote 103] Table 2 describes the potential challenges with using
current and new and emerging technology to inspect air cargo that were
identified by TSA officials and officials representing airports and air
carriers.
Table 2: Potential Challenges Associated with Using Current and New and
Emerging Technology to Inspect Air Cargo:
Potential challenge: Nature, type, and size of air cargo;
Challenge description: Air cargo ranges in size from less than 1 pound
to several tons, and in type from perishables to engines, including
electronic equipment, machine parts, apparel, medical supplies, fresh-
cut flowers, fresh seafood, tropical fish, live animals, and human
remains. Cargo can be shipped in various forms including unit-loading
devices, wooden crates, and assembled pallets, or as break bulk.
Potential challenge: Environmental and climatic conditions;
Challenge description: Different environmental conditions may have an
effect on different types of technology. For example, technology may
need to perform under very cold and very hot conditions, which may
affect its performance.
Potential challenge: Inspection throughput rates;
Challenge description: Technology must have the capacity to inspect a
large quantity of cargo in a timely manner to meet the delivery
schedules of the air cargo industry and the needs of shippers.
Potential challenge: Screener staffing and training;
Challenge description: Depending on the type of technology, operators
may require rigorous training. It may be financially burdensome to
hire, train, and retrain staff to operate the inspection technology.
Potential challenge: Logistics;
Challenge description: Construction of centralized inspection
facilities for storing and using inspection equipment may be
challenging. Larger airports may be in a better position to handle the
financial burden of additional security measures but may not have the
space for inspection equipment. Smaller airports would probably have
difficulty paying for new inspection equipment and staff but may have
the space to add the equipment.
Potential challenge: Cost and availability;
Challenge description: The overall cost of technology may be a
challenge. For example, one EDS machine can cost up to $1.2 million.
TSA canine units can cost up to $120,000 per team annually. Newer
technologies, such as current models of pulsed fast neutron analysis
systems, cost between $10 million and $25 million. In addition, cargo
handling is usually performed at separate cargo facilities either on
airport property or off-site.
Potential challenge: Employee health and safety;
Challenge description: Air carriers contend that certain inspection
technologies, such as pulsed fast neutron analysis, may pose potential
health risks to operators and handlers consolidating and loading cargo.
Air carriers also contend that once items are inspected they may not be
safe to handle for some period of time, which could affect delivery
time. According to TSA, the technologies they are considering for
explosives detection for cargo do not present these problems. Other
inspection technologies using neutron beams may also pose similar
health risks.
Source: GAO summary of reported challenges.
[End of table]
TSA noted that given the challenges of inspecting air cargo using
currently available technologies, the agency's goal is to develop an
approach to inspect air cargo using a combination of technologies.
TSA's strategic plan states that the agency envisions developing a
"tool box" of technologies that can be used by air carriers to inspect
cargo of various types of sizes under different operating environments.
Although the agency recognizes the challenges associated with
inspecting air cargo, has completed some technology evaluations, and
plans to conduct further technology testing, TSA has not decided
whether it will certify or require air carriers to use specific
technologies. TSA officials stated that they will make these decisions
after evaluating the results of the cargo inspection technology
assessments, but the agency has not established time frames for making
such decisions. To effectively inspect cargo that TSA deems to be an
elevated risk, the agency will need to make decisions regarding the use
of air cargo inspection technologies prior to full implementation of
its Freight Assessment System, which is currently scheduled for the end
of calendar year 2007.
TSA Plans to Issue New Air Cargo Security Requirements, but Some
Industry Stakeholders Have Expressed Concern Over Their Cost and
Feasibility:
In addition to developing a system to target and inspect elevated risk
cargo, TSA has proposed additional requirements to enhance air cargo
security in its proposed rule, issued on November 10, 2004. Many of the
measures outlined in the proposed rule are initiatives that are
outlined in TSA's Air Cargo Strategic Plan, as discussed earlier in
this report. Specifically, the proposed rule making would require the
adoption of security measures that focus on inspecting cargo, securing
air cargo facilities, and conducting security checks on air cargo
workers. TSA received 676 comments to its proposed rule from 134
commentators representing air carriers, indirect air carriers, and
airports, among others. The agency has reviewed these comments as it
determines how to finalize its proposals aimed at enhancing air cargo
security. TSA estimated in its proposed rule that implementing these
proposals, including random inspection of air cargo, will cost $637
million (in discounted 2003 dollars) over a 10-year period from 2004 to
2013. Table 3 describes TSA's proposed measures.
Table 3: TSA's Proposed Air Cargo Security Measures:
TSA-proposed measure: Security threat assessments (STA) for air cargo
workers;
Description of proposed measure: Persons who have unescorted access to
air cargo, but do not have unescorted security identification display
area access, to undergo a STA to verify that they do not pose a
security threat. Specifically, TSA will conduct checks of air cargo
workers against intelligence records and databases, including terrorist
watch lists. An estimated $39 fee per applicant would be imposed to
conduct the STA. TSA estimates that 28,225 of the estimated 63,000 air
cargo workers would be affected by this new requirement.
TSA-proposed measure: Inspecting cargo;
Description of proposed measure: Codifying existing requirements for
aircraft operators to inspect air cargo, including that offered by
known shippers.
TSA-proposed measure: Applying or extending airport security
identification display area (SIDA) requirements to air cargo operations
areas[A];
Description of proposed measure: Applying or extending airport SIDA
requirements to air cargo operating areas. This proposal does not call
for the creation of a SIDA at airports where there currently is not
one. In these situations, all-cargo operators will be required to
institute other security measures to prevent unauthorized access.
TSA-proposed measure: Known Shipper program and database;
Description of proposed measure: Codify and strengthen the Known
Shipper program. Specifically, participation in the Known Shipper
database would be mandatory for all domestic operators, foreign air
carriers, and indirect air carriers. Air carriers and indirect air
carriers would be required to submit information on a known shipper
applicant electronically to TSA for vetting against terrorist and law
enforcement data. Aircraft operators, foreign air carriers, and
indirect air carriers will be required to submit known shipper
information electronically and update it as needed.
TSA-proposed measure: Accepting cargo directly from shippers or from
entities with security programs;
Description of proposed measure: Authorize aircraft operators under
full or all-cargo programs to accept cargo only from entities with
security programs comparable to the aircraft operators'.
TSA-proposed measure: Enhanced indirect air carrier security
requirements, including training and personnel requirements;
Description of proposed measure: Expand the definition of indirect air
carrier to include businesses engaged in the indirect transport of
cargo on larger commercial aircraft, whether conducted with a passenger
aircraft or an all-cargo aircraft. Vet businesses more thoroughly
before they are authorized to do business as indirect air carriers,
strengthen a requirement for periodic recertification of indirect air
carrier status, and strengthen security requirements for accepting and
processing air cargo. TSA is developing a Web-based centralized system
for validating and revalidating indirect air carriers. Upon its
implementation, TSA proposes to require all business to use the system
to obtain initial indirect air carrier approval and to renew their
approval. Indirect air carriers would also be required to use the
system to notify TSA of any changes to their corporate structure and to
renew their status annually. Proposes procedures for withdrawing
indirect air carrier security program approval and requiring a
comprehensive and recurrent training program for indirect air carriers
to ensure that indirect air carrier employees understand and are
trained to implement their security responsibilities. Requires indirect
air carriers to designate a security coordinator at the corporate level
(as currently required by airport and aircraft operators) to serve as
the indirect air carrier's primary point of contact for communications
with TSA, including receipt of threat information.
TSA-proposed measure: Security measures for persons boarding an all-
cargo aircraft;
Description of proposed measure: Codify requirements for physically
screening persons other than passengers boarding all-cargo aircraft
with a maximum certified takeoff weight greater than 12,500 pounds.
TSA-proposed measure: Establish a required standardized security
program for all-cargo carriers;
Description of proposed measure: Require additional steps for securing
all-cargo aircraft weighing more than 45,500 kilograms (100,309
pounds). The proposal would institute security measures for all-cargo
aircraft comparable to passenger aircraft of the same size and be
incorporated into a mandatory All-Cargo Aircraft Operator Standard
Security Program.
Source: GAO analysis of Air Cargo Notice of Proposed Rule Making and
Industry Comments.
[A] Individuals working in SIDA must have an airport's approved photo
ID; the ID must be displayed at all times above the waist on the
individual's outermost garments; to obtain a SIDA ID, a person must
successfully undergo a fingerprint-based criminal history records
check, and successfully complete security training. In addition,
procedures must be in place for challenging all persons not displaying
appropriate ID.
[End of table]
Although most industry members who commented on the proposed air cargo
rule were pleased that TSA is taking steps to enhance air cargo
security, many pointed out various issues related to implementing these
measures, particularly cost.[Footnote 104] Specifically, officials
representing air carriers, indirect air carriers, and airports have
expressed concern that they would incur approximately 97 percent of the
projected cost of the air cargo security procedures described in TSA's
proposed air cargo security rule. Air carriers also contend that the
additional air cargo security costs will ultimately be borne by
shippers and passed on to their customers. Officials representing
passenger and all-cargo carriers also commented that the overall
estimate to implement these proposed procedures was low. For example,
cost projections developed by one stakeholder suggest that implementing
TSA's proposals could cost more than double what TSA estimated. A major
reason for this higher cost estimate was that the stakeholder assumed a
tripling in the estimated percentage of air cargo required to be
inspected on passenger aircraft, as mandated in the fiscal year 2005
Department of Homeland Security Appropriations Act.[Footnote 105]
According to TSA officials, the agency's cost estimate for implementing
its proposed security measures did not assume the tripling of the
inspection percentage, as required by the Act, because the fiscal year
2005 Department of Homeland Security Appropriations Act was signed
shortly before the proposed rule was issued.[Footnote 106] Therefore,
TSA based its proposed rule's cost estimates for cargo inspection on
existing requirements at the time.[Footnote 107]
Our analysis of TSA's costs estimates identified four ways in which the
agency had likely underestimated the costs of air cargo inspections.
First, TSA's estimate did not take into consideration the tripling in
the percentage of inspections for cargo transported on passenger
aircraft. Second, TSA is proposing to expand the definition of indirect
air carriers to include those transporting goods on all-cargo aircraft
in addition to those transporting goods on passenger aircraft, a change
that would increase the cost of implementing the proposed rule. Third,
earlier TSA analyses assumed a range of costs for inspection
technology, yet in TSA's cost analysis for its proposed rule, the
agency chose to use a cost estimate for this technology at the lower
end of this range. Incorporating the full range of possible inspection
technology costs raises the expected cost of the proposed regulation.
Fourth, our analysis of the proposed regulation also indicated that
there is no allowance for the cost of any delay. For instance, added
time spent inspecting cargo could mean missing delivery deadlines for
shippers or flight delays. This could affect industries, whose costs of
production are tied to inventories being delivered on time. We
discussed these issues with TSA officials, who stated that the agency
will consider revising its costs estimates as it reviews industry
comments to these security proposals.
In addition to concerns about the overall cost of TSA's proposed rule,
air cargo industry stakeholders expressed concern about the cost and
feasibility of implementing specific proposals described in TSA's
proposed rule. For example, in commenting on the proposed rule, some
air carriers and indirect air carriers acknowledged the need for TSA's
proposal for conducting security threat assessments on air cargo
workers but expressed concern that TSA may have underestimated the
total number of workers affected, as well as the total costs to perform
these checks. Specifically, one air cargo stakeholder estimated that
the population affected by TSA's proposal is more than twice as large
as the agency estimated, thus potentially more than doubling the
estimated cost of $3.2 million (in discounted 2003 dollars) over 10
years. Air carrier representatives also questioned why TSA would
propose a different type of check than is already required for workers
with unescorted access to an airport's SIDA.[Footnote 108] These air
carrier representatives stated that requiring a single type of check
for workers with access to either an airport SIDA or air cargo would
provide for a more uniform level of worker security. According to TSA
officials, the agency's preliminary review of the comments on its
proposed rule indicates that industry stakeholders may have
misunderstood the scope of this proposal, particularly as it relates to
the number and type of workers affected. According to TSA officials,
the agency will clarify these requirements in the agency's final air
cargo security rule.
Several stakeholders also commented on TSA's proposal to apply or
extend airport SIDA requirements to air cargo operations areas. While
three air carrier and indirect air carrier representatives we spoke
with were supportive of this proposal and stated that extending the
airport SIDA should enhance the physical security of cargo shipments
and aircraft, other air carriers and indirect air carriers expressed
concern over the implementation of this proposal. For example,
officials from two air carrier associations we spoke with stated that
this proposal would transfer responsibility for cargo operations areas
from the air carrier to the airport authority. One airport official we
spoke with stated that he did not want the additional responsibility
associated with implementing this proposal, and that air carriers
should be responsible for overseeing the implementation of this
requirement. According to TSA officials, the agency's preliminary
review of comments to its proposed rule indicates that industry
stakeholders may have misunderstood the air carriers' and airport
operators' role in implementing this proposed requirement, particularly
as it relates to their role in overseeing all-cargo operations within
the SIDA. According to TSA officials, the agency will clarify these
requirements in the agency's final air cargo security rule.
Air cargo industry stakeholders, also expressed concern about the cost
and feasibility of implementing TSA's proposal to put into regulation
existing requirements for air carriers to inspect a portion of air
cargo. For example, a representative from one industry association we
spoke with stated that TSA's proposal to screen a percentage of air
cargo does not ensure that air cargo is secure and suggested that most,
if not all, cargo should be screened. Air carrier representatives noted
that the inspection of air cargo should be considered a national
security issue and therefore funded and conducted by the federal
government. In addition, several stakeholders who represent air
carriers and indirect air carriers we spoke with stated that TSA has
not adequately defined what an inspection will entail and who will be
responsible for such an inspection. Further, three of the air cargo
stakeholders we spoke with stated that TSA's interchangeable use of the
terms "screening" and "inspection" created confusion about the actions
they were required to take regarding the examination of air cargo.
Specifically, they noted that they were unsure whether inspection meant
conducting a physical search, while screening meant using nonintrusive
methods such as X-ray machines. These three stakeholders added that
clearer definitions of the terms "screening" and "inspection" would
help ensure that the appropriate type of examination was conducted.
Finally, air carrier and indirect air carrier representatives, in
general, concurred with TSA's proposals to strengthen the security of
indirect air carriers. Some indirect air carriers noted that more
information is needed on who will now be defined as an indirect air
carrier, who will receive security training, and what the training will
entail. Similarly, air carrier representatives agreed with TSA's
proposals regarding security measures for individuals boarding an all-
cargo aircraft and establishing a required standardized security
program for all-cargo carriers, but they said that they would like
clarification on what these measures would entail.
TSA officials told us that the agency is evaluating industry
stakeholders' comments to its proposed security measures and may revise
these proposals prior to issuing its final air cargo security rule. The
Intelligence Reform and Terrorism Prevention Act of 2004 provides that
TSA must issue a final air cargo rule no later than 240 days from its
date of enactment (August 14, 2005).[Footnote 109] As of September
2005, this rule has not been issued.
Conclusions:
Securing all aspects of the aviation system is a daunting task. The
nature, size, and complexity of the nation's air cargo transportation
system highlights the need for the federal government and the private
sector to work together to secure this system and enhance security.
While the cost of enhancing air cargo security can be significant, the
potential costs of a terrorist attack, in terms of both the loss of
life and property and long-term economic impacts, would also be
significant although difficult to predict and quantify. The importance
of the nation's air cargo security system and the limited resources
available to protect it underscore the need for a risk management
approach to prioritize security efforts so that a proper balance
between costs and security can be achieved. In December 2002, we
recommended, and TSA committed to, implementing a risk management
approach for securing air cargo. By developing a strategic plan, TSA
established strategic goals and objectives, a key first step in
implementing a risk management approach. TSA also took another key step
in implementing a risk management approach by assessing threats to air
cargo security.
While these efforts represent achievements, more work remains to be
done to fully address the risks posed to air cargo security. By not yet
fully evaluating the risks posed by terrorists to the air cargo
transportation system through assessments of systemwide vulnerabilities
and critical assets, including analyzing information on air cargo
security breaches, TSA is limited in its ability to focus its resources
on those air cargo vulnerabilities that represent the most critical
security needs and assure Congress that existing funds are being spent
in the most efficient and effective manner. Further, without examining
the rationale of current air cargo inspection exemptions in light of
potential vulnerabilities associated with these exemptions, TSA cannot
be assured that tripling the amount of cargo on passenger aircraft that
is inspected, as required by recent legislation, will enhance air cargo
security.
Without performance measures to gauge air carrier and indirect air
carrier compliance with air cargo security requirements, TSA cannot
effectively focus its inspection resources on those entities posing the
great risk. In addition, without systematically analyzing the results
of its air cargo compliance inspections, TSA will be limited in its
ability to effectively target future inspections and fulfill its
oversight responsibilities for this essential area of aviation
security. TSA also cannot be assured that its current cooperative
approach to addressing issues of noncompliance is resulting in
increased air carrier and indirect air carrier compliance with air
cargo security requirements without assessing the effectiveness of its
enforcement actions. Finally, TSA's goal of developing a system to
target elevated risk cargo for inspection without impeding the flow of
air commerce will be difficult to achieve without ensuring that the
information used to target such cargo is complete, accurate, and
current. By addressing these areas, TSA would build a better basis for
strengthening air cargo security in the future as it moves forward in
implementing risk-based security initiatives.
Recommendations for Executive Action:
To help ensure that the Transportation Security Administration has a
comprehensive risk-based approach for securing the domestic air cargo
transportation system, we recommend that the Secretary of Homeland
Security direct the Assistant Secretary of Homeland Security for the
Transportation Security Administration to take the following six
actions:
(1) develop a methodology and schedule for completing assessments of
air cargo vulnerabilities and critical assets, as well as defining,
gathering, and analyzing information on air cargo security breaches,
and use the information resulting from these assessments as a basis for
prioritizing the steps necessary to enhance the security of the
nation's air cargo transportation system;
(2) reexamine the rationale for existing air cargo inspection
exemptions, determine whether such exemptions leave the air cargo
system unacceptably vulnerable to terrorist attack, and make any needed
adjustments to the exemptions;
(3) develop measures to gauge air carrier and indirect air carrier
compliance with air cargo security requirements to assess and address
potential security weaknesses and vulnerabilities;
(4) develop a plan for systematically analyzing the results of air
cargo compliance inspections and use the results to target future
inspections and identify systemwide corrective actions;
(5) assess the effectiveness of enforcement actions, including the use
of civil penalties, in ensuring air carrier and indirect air carrier
compliance with air cargo security requirements; and:
(6) ensure that the data to be used in the Freight Assessment System to
identify elevated risk cargo are complete, accurate, and current.
Agency Comments and Our Evaluation:
We provided a draft of this report to DHS for review and comment. On
September 30, 2005, we received written comments on the draft report,
which are reproduced in full in appendix VIII. DHS generally concurred
with the findings and recommendations in the report.
With regard to our recommendation to develop a methodology and schedule
for completing assessments of air cargo vulnerabilities and critical
assets, as well as defining, gathering, and analyzing information on
air cargo security breaches, DHS stated that it intends to perform a
vulnerability assessment to assess the relative significance of
vulnerabilities associated with domestic air cargo operations and
services. Specifically, DHS stated that this assessment will identify
weaknesses with the nation's air cargo operations that may be exploited
by terrorists and that this assessment will be tied into the
department's work to identify critical assets. Completing a
vulnerability assessment is an important step in applying a risk
management approach to securing air cargo. While DHS identified that
the vulnerability assessment will tie into the department's criticality
work, it has not indicated when a vulnerability or criticality
assessment of air cargo assets will be conducted or whether it intends
to define, gather, and analyze information on air cargo security
breaches as part of this assessment. Taking these steps would more
fully address our recommendation.
Concerning our recommendation to reexamine the rationale for existing
air cargo inspection exemptions, DHS stated that it is already in
consultation with industry stakeholders regarding reevaluating current
cargo inspection exemptions as it designs and develops the Freight
Assessment System, and will soon launch a broad-based review of current
air cargo policies and processes. While conducting such a review may
provide useful information on security processes and policies that need
to be improved, it is important that the exemptions specifically be
reviewed to determine whether they leave the air cargo system
unacceptably vulnerable to terrorist attack. This assessment, as well
as any resulting adjustments to the exemptions, should be completed as
soon as practical and should not be exclusively tied to the design and
development of the Freight Assessment System. Taking this step would
more fully address our recommendation.
In addressing our recommendation to develop measures to gauge air
carrier and indirect air carrier compliance with air cargo security
requirements, DHS stated that TSA is committed to focusing compliance
inspection resources on regulated parties that have greater security
weaknesses and vulnerabilities and will enhance current efforts to
gauge air carrier and indirect air carrier compliance with air cargo
security requirements. Although these efforts should help TSA in
performing its oversight responsibilities, developing specific
performance measures to gauge air carrier and indirect air carrier
compliance with air cargo security requirements will be important to
fulfilling the agency's oversight commitment. Taking such action would
more fully address the intent of this recommendation.
Regarding our recommendation to develop a plan for systemically
analyzing the results of air cargo compliance inspections, DHS stated
that TSA has taken steps to compile information results from past
compliance inspections and will analyze the results of its inspection
activities to target future inspections and develop systematic and
localized corrective action as appropriate. In addition, DHS stated
that TSA recently formed an advisory group to assist in developing the
agency's annual compliance work plan which will identify and direct
further inspection efforts. If properly implemented, these actions
should address the intent of this recommendation.
Concerning our recommendation to assess the effectiveness of
enforcement actions to ensure air carrier and indirect air carrier
compliance with air cargo security requirements, DHS stated that TSA
will use compliance inspection results generated by the PARIS database,
in addition to reviewing formal enforcement actions and adjudications
rendered through the legal process, to assess enforcement action
effectiveness. Developing specific details on how compliance inspection
results will be evaluated to determine the effectiveness of the
agency's enforcement actions will be necessary for the agency to ensure
that these actions result in increased air carrier and indirect air
carrier compliance with air cargo security requirements.
With regard to our recommendation to ensure that the data to be used in
the Freight Assessment System to identify elevated risk cargo are
complete, accurate, and current, DHS stated that TSA is developing a
plan to ensure the integrity of all data that will be used in the
Freight Assessment System. Specifically, TSA plans to implement a
continuous monitoring process to alert TSA of significant data changes
to ensure that the Freight Assessment System is provided with the most
complete, accurate, and current information. Additionally, DHS stated
that TSA has enlisted industry's assistance, through the Aviation
Security Advisory Committee, in the development of standards for
shipment data. If properly implemented, these actions should help
ensure that the critical information necessary to target elevated risk
cargo for inspection will be complete, accurate, and current.
DHS also offered technical comments and clarifications, which we have
considered and incorporated where appropriate.
As agreed with your offices, unless you publicly announce its contents
earlier, we plan no further distribution of this report until 30 days
after its issue date. At that time, we will provide copies of this
report to the Secretary of the Department of Homeland Security, the
Assistant Secretary of the Transportation Security Administration, and
interested congressional committees.
If you have any further questions about this report, please contact me
at (202) 512-3404 or berrickc@gao.gov. Key contributors to this report
are listed in appendix IX.
Sincerely,
Signed by:
Cathleen A. Berrick:
Director:
Homeland Security and Justice Issues:
[End of section]
List of Congressional Requesters:
The Honorable Tom Davis:
Chairman:
Committee on Government Reform:
House of Representatives:
The Honorable Peter T. King:
Chairman:
The Honorable Bennie G. Thompson:
Ranking Minority Member:
Committee on Homeland Security:
House of Representatives:
The Honorable Christopher Shays:
Chairman:
Subcommittee on National Security, Emerging Threats, and International
Relations:
Committee on Government Reform:
House of Representatives:
The Honorable Daniel E. Lungren:
Chairman:
The Honorable Loretta Sanchez:
Ranking Minority Member:
Subcommittee on Economic Security, Infrastructure Protection, and
Cybersecurity:
Committee on Homeland Security:
House of Representatives:
The Honorable Edward J. Markey:
House of Representatives:
[End of section]
Appendix I: Objectives, Scope, and Methodology:
Our objectives were to answer the following questions: (1) To what
extent has the Transportation Security Administration (TSA) used a risk
management approach to guide decisions on securing air cargo? (2) What
actions has TSA taken to ensure the security of air cargo, and what
factors may limit their effectiveness? (3) What are TSA's plans for
enhancing air cargo security, and what financial, operational, and
other challenges do TSA and industry stakeholders face in implementing
these plans?
To answer these questions, we interviewed TSA headquarters officials
responsible for managing the agency's air cargo security program. We
also interviewed headquarters' officials at the Department of Homeland
Security's (DHS) U.S. Customs and Border Protection (CBP), the Federal
Bureau of Investigation, and the United States Postal Service to obtain
information about their role in air cargo security. In addition, we
interviewed 48 air cargo industry stakeholders, including officials
representing 7 air carriers, 4 indirect air carriers, 12 airport
authorities, 16 associations representing airport operators, air
carrier pilots, indirect air carriers, passenger air carriers, all-
cargo air carriers, law enforcement agencies, and 9 air cargo security
consultants and experts. The majority of these industry stakeholders
participated in the Aviation Security Advisory Committee working groups
that developed recommendations for enhancing air cargo security. We
also conducted site visits at 12 United States commercial airports.
[Footnote 110] Because we selected a nonprobability sample of airports,
the results from these visits cannot be generalized to other U.S.
commercial airports. During our site visits, we met with Federal
Security Directors and inspections staff at each airport and observed
pilot testing of air cargo inspection technology, including explosive
detection systems at select airports.[Footnote 111] We also met with
CBP officials at 4 of the airports we visited.[Footnote 112] In
addition, we met with airport authorities at each airport we visited
and interviewed air carrier and indirect air carrier officials at
several airports we visited. Specifically, we interviewed officials
from four passenger and three all-cargo air carriers. To gain an
understanding of current and planned air cargo security requirements,
we reviewed air cargo security-related laws and regulations as well as
TSA's air cargo security strategic plan and proposed air cargo security
rule. Moreover, we reviewed and analyzed stakeholders' comments to
TSA's proposed rule. We also reviewed reports on air cargo security
previously issued by GAO, the Congressional Research Service, the
Federal Aviation Administration, and the Department of Transportation
Inspector General. To determine the amount of air cargo transported and
the revenue that major, national, and large regional air carriers
received from transporting air cargo for the year 2004, we obtained and
reviewed information from TSA and the Department of Transportation's
Bureau of Transportation Statistics.
To determine the extent to which TSA has used a risk management
approach to guide decisions on securing air cargo, we compared a
synthesis of government requirements and best practices that represents
GAO's risk management approach with TSA's efforts to implement such an
approach. Specifically, we focused on the strategic planning and
objectives and risk assessment elements of the risk management
framework. To identify the extent to which TSA's air cargo strategic
goals and objectives support broader departmental and agency strategic
goals and objectives, we reviewed and analyzed Department of Homeland
Security and TSA strategic planning documents, including TSA's Air
Cargo Strategic Plan. Regarding TSA's efforts to assess risk, we
reviewed threat assessments prepared by TSA in 2004 and 2005. We did
not assess the quality of the threat assessments completed. To obtain
information on how threat information is shared and TSA's efforts to
address threats, we met with officials from TSA's Transportation
Security and Intelligence Service, Federal Bureau of Investigation, and
air cargo industry stakeholders. We also obtained these stakeholders'
views on the timeliness, specificity, and clarity of threat information
TSA disseminates.
To determine the actions TSA has taken to ensure the security of
domestic air cargo and the factors that may limit their effectiveness,
we reviewed and analyzed TSA security requirements including current
air cargo-related regulations, security directives, and program
policies. In addition, we reviewed the Aviation Security Advisory
Working Group's committee's recommendations to TSA, TSA's air cargo
security strategic plan, and TSA's proposed air cargo security rule to
gain an understanding of the similarities, differences, and weaknesses
among these plans. We also analyzed information on TSA's compliance
testing program to determine the agency's progress in evaluating
existing air cargo security requirements. Further, we reviewed TSA's
compliance inspection process and results to determine air carriers'
and indirect air carriers' compliance with existing air cargo security
measures. Specifically, we reviewed TSA's annual inspection plans for
fiscal years 2004 and 2005 and available data on the results of
inspections, including civil penalties, conducted from November 1,
2001, through January 31, 2005. To determine the percentage of air
cargo transported on passenger and all-cargo air carriers that is
exempt from TSA random inspection requirements, we used industry
estimates that a very small percentage of all cargo carried on
passenger and all-cargo air carriers is inspected. We assumed that
passenger and all-cargo air carriers were fully compliant with TSA
random inspection requirements in place as of May 2005.
To identify TSA's plans for enhancing air cargo security and the
financial, operational, and other challenges TSA and industry
stakeholders face in implementing air cargo security plans, we
interviewed TSA and air cargo industry stakeholders. In our
discussions, we obtained their views on the challenges related to
developing and implementing air cargo security enhancements, including
air cargo inspection technologies. We also reviewed TSA's proposed air
cargo security rule and analyzed stakeholders' comments to the rule to
identify stakeholder concerns with TSA's proposal. To identify the
costs of implementing TSA's existing and additional measures proposed
to enhance air cargo, we analyzed TSA and industry studies, models, and
documents outlining the economic cost and other challenges associated
with implementing the proposed security measures as well as other
possible measures. Specifically, we reviewed TSA's methodology,
assumptions, and findings related to cost projections and economic
impacts associated with its proposed enhancements. To determine how
sensitive TSA cost estimates were to various cost assumptions, we
conducted Monte Carlo simulations.[Footnote 113] We also interviewed
TSA's Director of Regulatory and Economic Analysis, who was responsible
for preparing the economic analysis of the proposed air cargo security
rule.
To obtain an understanding of TSA's efforts to develop a system to
target and inspect elevated risk cargo, we met with TSA and CBP
officials who are responsible for developing TSA's planned air cargo
targeting and inspection systems. We discussed TSA's development of the
Freight Assessment System, including its air cargo data systems that
are to be used to target elevated risk cargo. In addition we reviewed
documentation on CBP's policies and procedures for targeting elevated
risk cargo as well as its automated targeting system. In addition we
observed CBP's targeting efforts at its National Targeting Center. We
did not assess the effectiveness of CBP's targeting efforts. Regarding
TSA's research and development to identify inspection technology, we
spoke with officials in TSA's Chief Technology Office and reviewed
TSA's research and development plans, including the scope, methodology,
and implementation time frames and results of their pilot programs. We
also reviewed private industry's efforts to develop and test available
inspection technologies. While we did not assess the effectiveness of
inspection technologies, we spoke with TSA and private sector officials
regarding the limitations of the technology.
We conducted our work between June 2004 and September 2005 in
accordance with generally accepted government auditing standards. We
issued a restricted version of this report on July 29, 2005.[Footnote
114] This report contains information presented in that report with all
sensitive security information removed.
Data Reliability:
To assess the reliability of TSA's data on the number, type, and
location of their compliance inspections, we (1) obtained data on TSA's
compliance inspection activities conducted from November 2001 to
January 2005, (2) discussed discrepancies identified through our review
of the data with TSA officials, and (3) obtained TSA headquarters'
responses to our questionnaire regarding the reliability of the data.
Although our initial reliability testing indicated that there were some
inconsistencies in the data provided by TSA, we were able to resolve
most of the discrepancies. For example, TSA inspection data did not
include unique identification numbers for each inspection. As a result,
TSA data could have counted duplicate inspections. We developed a
methodology to count individual inspections based on entity name,
location of the facility, type of inspection being conducted, inspector
conducting the inspection, and the date of the inspection. Further, we
were unable to replicate the methodology TSA used to group violation
topics and to count the number of violations for each topic in its
reporting of high-risk violations from January 1, 2003, to January 31,
2005, including violations identified as "other" or violations for
which no specific topic area was provided. We interviewed TSA officials
to discuss how the agency defines violations identified as "other" and
to what extent the agency will address violations for which no specific
topic area was identified.
After reviewing the compliance data, we determined that the data were
reasonable for identifying general trends in TSA's inspection
violations. Additionally, we were unable to determine the number of
indirect air carrier facilities inspected from November 1, 2001, to
September 30, 2004, and we used TSA inspection data to provide a
maximum range of indirect air carrier facilities that TSA inspected for
this time period. These discrepancies, however, did not affect our
overall findings related to the compliance inspection data. Therefore,
we determined that the compliance inspection data were sufficiently
reliable for use in supporting our findings regarding TSA's efforts to
monitor air carrier and indirect air carrier compliance with air cargo
security requirements. Further, TSA provided us information on the
number of civil penalty enforcement cases recommended and issued from
November 1, 2001, to January 31, 2005. We discussed how these data were
compiled and maintained with TSA officials and determined that this
information was sufficient for counting the number of civil penalties
recommended and issued for violations of air cargo security
requirements by air carriers and indirect air carriers.
[End of section]
Appendix II: Federal Agency Roles in Air Cargo Security:
As part of the Aviation and Transportation Security Act, Congress gave
the Transportation Security Administration responsibility for ensuring
the security of cargo carried aboard passenger and all-cargo air
carriers. In addition to TSA, other federal agencies have a role in
securing air cargo. These roles cover a broad range of issues,
including the enforcement of import, export, customs, transportation,
and economic and trade regulations. For example, the Departments of
Commerce, Homeland Security, and the Treasury are responsible for
oversight and enforcement of international customs and trade laws. The
United States Postal Service also has responsibility for mail that is
placed on an aircraft. Last, the Department of Transportation has
responsibility for, among other things, ensuring the security of
hazardous materials being transported on air carriers. Table 4
describes federal agency roles in air cargo security.
Table 4: Federal Agency Roles in Air Cargo Security:
Federal agency: U.S. Customs and Border Protection (CBP);
Role in air cargo security: CBP's mission is to prevent terrorists and
terrorist weapons from entering the United States. This involves
security at and between United States ports of entry, as well as its
security zone beyond its physical borders. To stop terrorists and
terrorist weapons from entering United States borders, CBP screens air
cargo data prior to the air carrier's arrival at a United States
airport in order to target the use of domestically based technologies,
physical inspection methods, and inspection staff against high-risk
shipments.
Federal agency: United States Postal Service (USPS);
Role in air cargo security: USPS has an Aviation Security Program that
incorporates TSA's security regulations to secure mail that is being
transported via surface and air.
Federal agency: Department of Transportation (DOT);
Role in air cargo security: DOT, through the Federal Aviation
Administration, regulates the transportation of hazardous materials and
other cargo by air and through the Innovative Technology Administration
is responsible for developing, managing, and evaluating programs and
research activities for the security of passengers and cargo in the
transportation system.
Federal agency: Department of the Treasury;
Role in air cargo security: The Office of Foreign Assets Control (OFAC)
of the U.S. Department of the Treasury administers and enforces
economic and trade sanctions based on United States foreign policy and
national security goals against targeted foreign countries, terrorists,
international narcotics traffickers, and those engaged in activities
related to the proliferation of weapons of mass destruction. United
States air carriers and indirect air carriers are not permitted to
conduct business with businesses and individuals banned by OFAC.
Federal agency: Department of Commerce (DOC);
Role in air cargo security: Air cargo is subject to DOC jurisdiction to
the extent the cargo or the aircraft are subject to export controls,
i.e., the Export Administration Regulations (EAR). The export control
provisions of the EAR are intended to serve the national security,
foreign policy, nonproliferation, and short supply interests of the
United States.
Source: GAO prepared based on review of other federal agencies' roles
in air cargo security.
[End of table]
[End of section]
Appendix III: Timeline of Significant Events Related to Air Cargo
Security:
The following timeline reflects significant events in air cargo
security following the terrorist attacks in the United States involving
four jet airliners on September 11, 2001. These key events include the
enactment of the Aviation and Transportation Security Act; the
development of the Known Shipper database; additional TSA air cargo
security requirements; three reported incidences of stowaways; the
release of the Air Cargo Security Strategic Plan; release of the air
cargo security proposed rule; and initial development of TSA's air
cargo targeting system. The timeline also includes established time
frames for issuing the final air cargo security rule and the
commencement of the air cargo targeting system pilot.
Figure 5: Timeline of Significant Events Related to Air Cargo Security:
[See PDF for image]
The following events and dates are depicted on the timeline from 2001
through February 2006:
9/11/01: Terrorist attacks;
9/13/01: U.S. national airspace reopened to commercial aviation after
two-day shutdown;
11/91/01: Aviation and Transportation Security Act enacted (P.L. 107-
71);
10/02: TSA developed voluntary Known Shipper database;
9/03: Man ships himself in cargo from Newark, NJ to Dallas, TX;
10/1/03: Department of Homeland Security Security Appropriations Act,
2004 (P.L. 108-90);
10/1/03: Aviation Security Advisory Committee recommendations;
11/03: TSA required random inspection of cargo on passenger and all-
cargo aircraft;
11/17/03: Air Cargo Strategic Plan;
12/12/03: Vision 100-Century of Aviation Reauthorization Act (P.L. 108-
176);
1/31/04: Three stowaways shipped themselves in shrink-wrapped pallet
from Dominican Republic to Miami, Florida;
2/3/04: TSA Expands Federal Flight Deck Officer program to pilots of
all-cargo aircraft;
8/04: Woman ships herself in cargo crate from Nassau, Bahamas to Miami,
Florida;
10/18/04: Department of Homeland Security Appropriations Act, 2005
(P.L. 108-334);
11/10/04: Air Cargo Security Notice of Proposed Rule Making;
12/17/04: Intelligence Reform and Terrorism Prevention Act of 2004
(P.L. 108-458);
1/05: TSA began developing cargo targeting system;
8/14/05: Approximate date for TSA Issuance of Air Cargo Security Final
Rule;
2/06: TSA scheduled to start pilot test of cargo targeting system.
Source: GAO.
[End of figure]
[End of section]
Appendix IV: ASAC Representatives in the 2003 Air Cargo Working Group:
American Association of Airport Executives (AAAE):
Air Courier Conference of America (ACCA):
Airports Council International--North America (ACI-NA):
Air France (AF):
Association of Flight Attendants (AFA):
Air Forwarders Association (AFA):
Airport Law Enforcement Action Network (ALEAN):
Air Line Pilots Association (ALPA):
Allied Pilots Association (APA):
Air Transport Association (ATA):
American Trucking Associations (ATruckA):
British Airways (BA):
Cargo Airline Association (CAA):
Coalition of Airline Pilots Association (CAPA):
U.S. Customs and Border Protection (CBP):
Federal Aviation Administration (FAA):
Federal Bureau of Investigation (FBI):
International Airline Passenger Association (IAPA):
Lufthansa Airlines (LCAG):
National Air Carrier Association (NACA):
National Air Transportation Association (NATA):
National Customs Brokers and Forwarders Association of America
(NCBFAA):
National Industrial Transportation League (NITL):
Regional Airline Association (RAA):
Transportation Intermediaries Association (TIA):
Untied States Postal Service (USPS):
Victims of Pan Am Flight 103:
[End of section]
Appendix V: Testing Explosive Detection System Technologies for
Inspecting Air Cargo:
TSA began phase I testing to evaluate the effectiveness of explosive
detection system (EDS) (technologies currently certified for use in
inspecting passenger baggage) to screen air cargo in January 2004 at 6
airports.[Footnote 115] According to TSA, the objectives of phase I of
the pilot were to determine the expected performance of the explosive
detection system for inspecting outbound break bulk air cargo onboard
commercial air carriers for the threat of improvised explosive devices
(IED) within the air cargo operational environment, examine the
resource requirements (including manpower and support equipment) that
could be expected with deployment of EDS in the cargo environment, and
examine the potential affect on air cargo operations. Figure 6 shows
explosive detection system technology being used to screen break bulk
cargo as part of TSA's pilot test.[Footnote 116]
Figure 6: EDS Technology Inspecting Break Bulk Cargo:
[See PDF for image]
This figure is a photograph of EDS Technology Inspecting Break Bulk
Cargo.
[End of figure]
In August 2004, TSA began phase II of the EDS pilot at 6 additional
airports. Phase II operational testing studied the effectiveness of EDS
technologies by two vendors in the following cargo environments and
cargo configurations--mail screening, all-cargo aircraft, and break
bulk. According to TSA, the 12 airports selected for phases I and II of
the pilot program were based on variances in the type and volume of
cargo being transported as well as differences in climatic and
environmental conditions. Although TSA has not yet finalized its
evaluation of the results of the EDS pilot, agency officials stated
that preliminary data suggest that EDS technology is well suited to
inspect break bulk cargo under a range of environmental and climactic
conditions, but limitations exist with using such technology. TSA
officials noted that such limitations would be discussed in its final
evaluation report of the EDS pilot.
According to TSA, the report for phase II testing will be finalized in
July 2005. Based on the results of the tests, TSA has extended the use
of EDS for an additional year. TSA stated that during the extended
field tests, the air carriers will screen break bulk air cargo using
EDS.
[End of section]
Appendix VI: Testing the Use of TSA-Certified Explosives Detection
Canine Teams:
The objective of the first phase of the pilot was to assess the
performance and determine the effectiveness of TSA-certified explosives
detection canine teams when used to inspect three air cargo
configurations (break bulk, palletized, and cookie sheet) under
operational conditions. This pilot test was conducted at six airports
over the course of 6 weeks and involved 18 TSA-certified explosives
detection canine teams. According to TSA's evaluation report of the
pilot issued in October 2004, the average detection rates were
relatively high for break bulk cargo, palletized configurations, and
cookie sheet configurations. According to TSA, the results of this
study can be used to draw a number of conclusions regarding the use of
TSA-certified explosives detection canine teams to inspect break bulk,
palletized, and cookie sheet configurations. Overall, the data suggest
that even without prior training, the teams performed well on all three
cargo configurations. This illustrates the teams' abilities to adapt to
new and different environments and tasks.
The second phase of the canine cargo inspection operational test and
evaluation was conducted at six additional airports and involved 18 TSA-
certified explosives detection canine teams. The objective of this
phase of the pilot was to determine and examine the effectiveness of
TSA-certified canine teams in inspecting additional air cargo
configurations (break bulk, containers, and ground support equipment)
and two United States Postal Service mail configurations (break bulk
and rolling stock equipment).[Footnote 117] According to the pilot
program's evaluation report, issued in November 2004, the observed
detection rates were relatively high for break bulk cargo, containers,
and ground support equipment. Overall, the data suggest that even
without prior training, the canine teams performed reasonably well,
illustrating the ability of the teams to adapt to new and different
environments and tasks. According to TSA officials, the results of both
phases of the pilot program demonstrated that canines offer promising
alternatives to inspecting air cargo.
[End of section]
Appendix VII: New Technologies Selected by TSA for Further Development
and Testing:
Technology name: XR/PFNA X-ray combined with pulsed fast neutron
analysis as a confirmation system;
Items to be inspected: Cargo;
Technology description: Uses a beam of neutrons to excite common
elements (hydrogen, carbon, nitrogen, and oxygen) in cargo and
generates a three-dimensional map of the elements from which explosives
and drugs can be detected and located. In September 2004, Total cost of
the project is $12 million;
Estimated length of time needed for completing technology testing: 24
months.
Technology name: Miniature explosives and toxic chemical detector;
Items to be inspected: Cargo;
Technology description: Utilizes sensors based on Micro Electro-
Mechanical Systems (MEMS) technology to detect traces of explosives and
toxic chemicals;
Estimated length of time needed for completing technology testing: 24
months.
Technology name: Pressure-activated sampling system;
Items to be inspected: Cargo/mail;
Technology description: Items are placed inside a steel pressure
vessel. The chamber is then pressurized, allowing the air to be forced
into the package contents. The air exhaust is then sampled and analyzed
using an approved trace detector;
Estimated length of time needed for completing technology testing: 24
months.
Technology name: Low-cost Quadruple Resonance (QR) explosives detection
for containerized air cargo;
Items to be inspected: Cargo;
Technology description: A container placed on the transport mechanism
will be automatically moved into the scanning chamber, positioned, and
examined by QR and trace detection technologies;
Estimated length of time needed for completing technology testing: 22
months.
Technology name: Megavolt computed tomography for air cargo container
inspection;
Items to be inspected: Cargo;
Technology description: Uses high-energy computed tomography to
generate high-resolution, three-dimensional images of oversized boxes,
palletized cargo, and cargo containers. This system is based on the
same principles as those employed for checked luggage, but is large
enough to inspect air cargo containers;
Estimated length of time needed for completing technology testing: 24
months.
Technology name: Neutron resonance radiography for containerized cargo
inspection;
Items to be inspected: Cargo;
Technology description: An imaging system that uses medium energy
neutrons to effectively measure the neutron absorption through thick
objects and determine the relative concentrations of different
materials from which explosives can be detected in air cargo containers
with checked baggage or mail as contents;
Estimated length of time needed for completing technology testing: 25
months.
Technology name: Mail inspection sensor system based on micro
cantilevers;
Items to be inspected: Mail;
Technology description: A detection method based on the highly
sensitive micro cantilever sensors that can detect explosives in mail
at an estimated rate of 300 pieces of mail per hour;
Estimated length of time needed for completing technology testing: 24
months.
Technology name: Terahertz spectrometer-based trace detection system
for cargo;
Items to be inspected: Cargo;
Technology description: Combines a particle and vapor sampling system
with a Terahertz detector, which will analyze trace residues based on
their rotational spectra;
Estimated length of time needed for completing technology testing: 24
months.
Technology name: Material specific explosives and nuclear material
detection system for cargo and United States mail;
Items to be inspected: Cargo/mail;
Technology description: Accurately measures the elements and their
ratios in a container. The elemental densities are used to indicate the
presence of explosives and other contraband;
Estimated length of time needed for completing technology testing: 22
months.
Source: TSA.
[End of table]
[End of section]
Appendix VIII: Comments from the Department of Homeland Security:
U.S. Department of Homeland Security:
Washington, DC 20528:
[hyperlink, http://www.dhs.gov]:
September 30, 2005:
Ms. Cathleen A. Berrick:
Director, Homeland Security and Justice Issues:
U.S. Government Accountability Office:
441 G Street, NW:
Washington, D.C. 20548:
Dear Ms. Berrick:
Thank you for the opportunity to comment on GAO's draft report
entitled, "Aviation Security: Federal Action Needed to Strengthen
Domestic Air Cargo Security" GAO-06-76. We appreciate the analysis GAO
has done over the past year to reflect on our program development and
for recognizing our progress in strengthening the nation's air cargo
security. The Department of Homeland Security (DHS) generally concurs
with the report and recommendations.
DHS is Aggressively Working to Secure the Nation's Air Cargo:
The threat of a terrorist exploiting vulnerability within the air cargo
supply chain is real and is a high priority of the Department. In
addition, the Department's mission includes direction "to promote the
free-flow of commerce." The movement of cargo via air, onboard both
passenger and all-cargo airplanes, represents a critical component of
global and domestic supply chains. Accordingly, the manner and extent
to which DHS secures the air cargo domain continues to evolve, and the
balance between security and the flow of commerce is critical in this
evolution. The complexity of the air cargo environment requires
thoughtful analysis of alternatives and subsequent trade-offs among a
wide array of security options.
Since 9/11 there has been significant progress in securing the nation's
air cargo. Within DHS, the air cargo security approach being
aggressively pursued by the Transportation Security Administration
(TSA) and U.S. Customs and Border Protection (CBP) is tightly linked to
key best practices of the Department, namely:
* Active collaboration and partnership with the private sector, leading
to strong industry support and active participation in ongoing
programs:
* Applying a risk-based management model to resource allocation. This
includes integrating air cargo risk-based managed resources in the
Department's overall national security strategies:
* Embracing technology as a critical means of enhancing security in the
short and long-term.
Threat-Based Risk Managed Approach Requires a Public Private
Partnership:
DHS is committed to prioritizing its work in response to risk. Both
government and industry recognize that vulnerabilities within the air
cargo supply chain must be addressed in order to effectively combat
current threats. A threat-based risk management approach, one that
balances the twin goals of enhancing air cargo security without unduly
impeding the flow of commerce, is therefore required.
The current domestic air cargo security approach is being executed in
close coordination with the industry stakeholders who operate and
maintain the supply chain movements of cargo via air. The agency has
drawn upon the private sector's expertise through various government-
industry working groups, chartered under TSA's Aviation Security
Advisory Committee (ASAC). Insights generated through this public-
private partnership provided important inputs into TSA's Air Cargo
Strategic Plan.
The National Air Cargo Strategic Plan Integrates a Layered Security
Strategy:
By employing a layered security strategy that combines policy, strong
regulatory oversight, and technology to combat threats, mitigate
vulnerabilities, and control consequences, the DHS air cargo team is
managing risk effectively. Since the Department endorsed the TSA Air
Cargo Strategic Plan, TSA has been implementing a layered security
approach that strengthens our defense against existing threats.
The Air Cargo Strategic Plan is closely aligned with The National
Homeland Security Strategy, National Strategy for the Physical
Protection of Critical Infrastructure and Key Assets and TSA's
Strategic Plan. The plan directly supports TSA's goal of preventing
terrorists and other individuals from disrupting the transportation
system and harming its users. This plan is the core document guiding
the agency's efforts to further secure the air cargo supply chain
through four key strategic objectives:
* Enhance shipper and supply chain security;
* Identify elevated risk cargo through prescreening;
* Identify technology for performing targeted air cargo inspections;
* Secure all-cargo aircraft through appropriate facility security
measures.
Opportunities to further secure the air cargo supply chain include:
* Adding a greater level of standardization across air cargo security
programs;
* Employing a risk-based approach to targeting the subset of cargo that
represents a potential threat to the supply chain.
These opportunities are being addressed through strengthening of
policy, increasing day-to-day security compliance oversight, and
applying technical solutions.
1. Strengthening Policy. A major rulemaking is underway, with final
regulations to be published in late 2005. The revised policy direction
focuses on strengthening requirements for the existing population of
regulated parties in the air cargo supply chain (indirect air carriers,
air carriers, and airports). It also expands the regulatory footprint
of DHS to reach more participants in standard air cargo shipping
processes and transactions.
2. Focusing Day-to-Day Operations. During the past two years, TSA has
more than doubled the number of regulatory inspectors performing
compliance operations in the field. The impact of the expanded
inspection corps has also been enhanced through innovative programs
such as focused inspections, cargo strikes, and special emphasis
assessments. Further, the operations of current and prospective
regulated entities are scrutinized through the use of third party
corporate data that identifies criminal history, changes in ownership,
and other security-relevant information.
3. Embracing Technology. The Department is actively pursuing technology
programs and applications that address both short and long-term
challenges. In the short-term, core processes such as shipper and
indirect air carrier (IAC) registration and renewal can now be handled
through automated, web-based systems (the Known Shipper Database and
the IAC Management System) that promote public-private information
sharing. Meanwhile, the air cargo program continues to invest in
research and development activities that assess the readiness of
existing and emerging technologies such as Explosive Detection Systems
(EDS) machines and hardened containers to be integrated into normal
cargo operations. Finally, the program has embarked on a joint
initiative with industry and CBP, through the Automated Commercial
Environment (ACE), to identify elevated risk cargo through pre-
screening of air cargo shipment data. The output of this program,
Freight Assessment System, will be piloted with two major air carriers
and their suppliers at two major airports in early 2006.
A Layered Security Strategy Supports 100% Screening of Elevated-Risk
Cargo:
TSA believes that all cargo should be pre-screened for risk, and that
100% of cargo that is identified as elevated-risk should be screened
using appropriate technology and methods. Consequently, both the
Department and the air cargo industry support a layered security
approach that includes using data to pre-screen 100% of shipments.
DHS Responses to the GAO Recommendations:
GAO Recommendation: (1) develop a methodology and schedule for
completing assessments of air cargo vulnerabilities and critical
assets, as well as defining, gathering, and analyzing information on
air cargo security breaches, and use the information resulting from
these assessments as a basis for prioritizing the steps necessary to
enhance the security of the nation's air cargo transportation system;
TSA intends to perform "Commercial Air Cargo Industrial Vulnerability
Assessments" to assess the relative significance of vulnerabilities
associated with U. S. commercial air cargo operations and ancillary
activities. This vulnerability assessment will comprehensively identify
weaknesses in physical structures, personnel protection systems,
processes, or other areas associated with U. S. air cargo operations
that may be exploited by terrorists. The vulnerability assessment will
be tied into the Department's criticality work.
GAO Recommendation: (2) re-examine the rationale for existing air cargo
inspection exemptions, determine whether such exemptions leave the air
cargo system unacceptably vulnerable to terrorist attach and make any
needed adjustments to the exemptions;
TSA continually reviews the measures it has put into place as part of
its threat-based, risk-managed approach to securing the air cargo
environment and will soon launch a broad-based review of current air
cargo policies and processes. TSA is also in consultation with industry
stakeholders regarding reevaluation of current exemptions as it designs
and develops the Freight Assessment System (FAS).
GAO Recommendation: (3) develop measures to gauge air carrier and
indirect air carrier compliance with air cargo security requirements to
assess and address potential security weaknesses and vulnerabilities;
TSA collects compliance and enforcement data through its Performance
and Results Information System (PARIS). In early 2005, TSA created a
Compliance Analysis Division that uses compliance data to track trends
in security, identify systemic and localized compliance concerns, and
gauge compliance on both micro and macro levels. TSA continues to
enhance the functionalities of its PARIS database. TSA is committed to
focusing our inspection resources on regulated parties that have
greater security weaknesses and vulnerabilities. Accordingly, TSA will
enhance current efforts to gauge air carrier and IAC compliance with
cargo security requirements. Results of the inspection activity will be
compiled, analyzed and used to target future inspections.
GAO Recommendation: (4) develop a plan for systematically analyzing the
results of air cargo compliance inspections and use the results to
target future inspections and identify systemwide corrective actions;
TSA has taken steps to compile information results from past compliance
inspections. Using the data collected in PARIS, TSA will analyze the
results of its inspection activities to target future inspections and
develop both systemic and localized corrective action as appropriate.
Additionally, TSA recently formed its Compliance Advisory Group to
assist in developing the Agency's annual compliance work plan which
will identify and direct further inspection efforts.
GAO Recommendation: (5) assess the effectiveness of enforcement
actions, including the use of civil penalties, in ensuring air carrier
and indirect air carrier compliance with air cargo security
requirements; and;
TSA will use results generated by the PARIS database in addition to
reviewing formal enforcement actions and adjudications rendered through
the legal process to assess enforcement action effectiveness. TSA's
analysis of overall metric-based compliance results will be enhanced by
our consideration of specific enforcement actions and individualized
impact on the regulated entities. TSA's analysis is also informed by
follow-up inspections of these entities focusing on corrective action
taken, operational remediation, and continued compliance with security
requirements.
GAO Recommendation: (6) ensure that the data to be used in the Freight
Assessment System to identify elevated risk cargo are complete,
accurate, and current.
TSA is developing a comprehensive plan to ensure the integrity of all
data that will "feed" the Freight Assessment System (FAS). TSA is
evaluating designs of the FAS to implement a continuous monitoring
process to alert TSA of significant changes within the community. This
data verification and monitoring process would ensure that FAS is
provided with the most complete, accurate and current information.
Additionally, TSA has enlisted industry's assistance, through the
Aviation Security Advisory Committee, in the development of standards
for shipment data. TSA believes that implementing data standardization
requirements is essential to ensuring accuracy and reliability of the
shipment data.
Current Department Initiatives and Plans are Raising the Security Bar
Considerably:
The current domestic air cargo security approach is consistent with the
principles of the Department and is being executed in close
coordination with the industry stakeholders who operate and maintain
the supply chain movements of cargo via air. By employing a layered
approach that combines policy, strong regulatory oversight, and
technology to combat threats, mitigate vulnerabilities, and control
consequences, the DHS air cargo team is managing risk effectively. The
continued execution of major ongoing programs - such as Freight
Assessment and emerging technology R&D - will raise the air cargo
security bar even higher in the future.
Thank you again for the opportunity to contribute comments to the draft
report. Please let us know if we can provide any further information or
clarity on our response.
Sincerely,
Signed by:
Steven J. Pecinovsky:
Director:
Departmental GAO/IG Liaison Office:
[End of section]
Appendix IX: GAO Contacts and Staff Acknowledgments:
Contacts:
Cathleen A. Berrick, (202) 512-8777:
Acknowledgments:
In addition to those named above, John C. Hansen, Assistant Director;
Leo Barbour; C. Jenna Battcher; Charles W. Bausell; Katherine Davis;
Scott Farrow; Stanley J. Kostyla; Tom Lombardi; Jeremy Manion; Steve
Morris; Meg Ullengren; and Nicolas Zitelli made key contributions to
this report.
[End of section]
Footnotes:
[1] Aviation and Transportation Security Act, Pub. L. No. 107-71, §
110(b), 115 Stat. 597, 614-16 (2001).
[2] TSA generally uses the terms "inspecting" and "screening"
interchangeably to denote some level of examination of a person or
good, which can entail a number of different actions, including manual
physical inspections to ensure that cargo does not contain weapons,
explosives, or stowaways. When TSA applies a filter to information or
characteristics of cargo, such as its Known Shipper program, it refers
to such processes as screening. For the purposes of this report, we use
the term "inspection" to refer only to an air carrier's effort to
physically examine air cargo.
[3] DHS Science and Technology Directorate, Systems Engineering Study
of Civil Aviation Security-Phase I, April 7, 2005.
[4] The exact percentage of cargo physically screened or inspected is
sensitive security information.
[5] Intelligence Reform and Terrorism Prevention Act of 2004
(Intelligence Reform Act), Pub. L. No. 108-458, 118 Stat. 3638;
Department of Homeland Security Appropriations Act, 2005, Pub. L. No.
108-334, 118 Stat. 1298 (2004). The fiscal year 2006 DHS appropriations
bill, H.R. 2360, as passed by the House of Representatives on May 17,
2005, proposes to, among other things, reduce TSA funding by $100,000
per day until it satisfies the fiscal year 2005 requirement to triple
the percentage of cargo inspected on passenger aircraft, require that
DHS develop screening standards and protocols to more thoroughly screen
all types of cargo on passenger and cargo aircraft, and require that
TSA utilize checked baggage explosive detection equipment and screeners
to screen cargo carried on passenger aircraft to the greatest extent
practicable at each airport. The Senate version of the bill, passed on
July 14, 2005, proposes to direct that DHS research, develop, and
procure certified systems to screen air cargo on passenger aircraft at
the earliest date possible, enhance the known shipper program, and
increase the level of cargo inspected beyond the tripling mandated in
fiscal year 2005.
[6] GAO, Transportation Security: Systematic Planning Needed to
Optimize Resources, GAO-05-357T (Washington, D.C.: Feb.15, 2005), and
GAO, Aviation Security: Vulnerabilities and Potential Improvements for
the Air Cargo System, GAO-03-344 (Washington, D.C.: Dec. 2002).
[7] Air carriers refers to both commercial passenger air carriers whose
aircraft have been configured to accommodate both passengers and cargo
and all-cargo carriers whose aircraft transport only cargo. Indirect
air carriers, sometimes referred to as freight forwarders, consolidate
cargo from many shippers and deliver it to passenger air carriers.
TSA's proposed air cargo security rule would expand the definition of
an indirect air carrier to include those companies that consolidate and
transport cargo to all cargo carriers. The United States Postal
Service, or its representatives while acting on behalf of the Postal
Service, is not an indirect air carrier.
[8] During our review we spoke with 48 air cargo industry stakeholders,
including officials representing 7 air carriers, 4 indirect air
carriers, 12 airport authorities, 16 associations representing airport
operators, air carrier pilots, indirect air carriers, passenger air
carriers, all-cargo air carriers, law enforcement agencies, and 9 air
cargo security consultants and experts.
[9] Unless otherwise indicated, all cost estimate figures cited in this
report are in discounted dollars.
[10] An explosive detection system uses probing radiation to examine
objects inside baggage and identify the characteristic signatures of
threat explosives.
[11] There are about 450 commercial airports in the United States. TSA
classifies airports into one of five categories (X, I, II, III, and IV)
based on various factors, such as the total number of takeoffs and
landings annually, the extent to which passengers are screened at the
airport, and other special security considerations.
[12] GAO, Aviation Security: Federal Action Needed to Strengthen
Domestic Air Cargo Security, GAO-05-446SU, (Washington, D.C.: July 29,
2005).
[13] Elevated risk cargo could include cargo that has been determined
to pose a risk to the safety and security of passengers and air cargo
operations.
[14] Airport operators may also be responsible for air cargo security
to the extent that air cargo operations areas overlap with areas of the
airport designated as security identification display areas (SIDA),
pursuant to 49 C.F.R. part 1542. Individuals working in a SIDA must
have an airport-approved photo identification that is displayed at all
times above the waist on the individual's outermost garments. To obtain
a SIDA identification badge, a person must successfully undergo a
fingerprint-based criminal history records check and successfully
complete security training. In addition, SIDA access requirements must
include procedures for challenging all persons not displaying
appropriate SIDA photo identification.
[15] Other federal entities involved in safeguarding air cargo include
the Department of Homeland Security-U.S. Customs and Border Protection,
the United States Postal Service, the Department of Commerce, the
Department of Transportation, and the Department of the Treasury. See
appendix II for a description of each entity's role and responsibility
in securing air cargo.
[16] TSA regulations governing air cargo security are codified at Title
49, chapter XII, subchapter C, of the Code of Federal Regulations.
These regulations focus on requiring air carriers and indirect air
carriers to develop measures to deter and prevent the carriage of any
unauthorized explosive or incendiary aboard passenger aircraft,
including refusal to transport any cargo if the shipper does not
consent to a search or inspection of that cargo.
[17] Federal Security Directors (FSDs) are responsible for overseeing
the implementation of air cargo security requirements at airports
nationwide. The FSDs work with inspection teams composed of Aviation
Security Inspectors (ASIs) to conduct air cargo compliance inspections.
[18] TSA-approved security programs include (1) Aircraft Operators
Standard Security Program (AOSSP), which applies to domestic passenger
air carriers; (2) Indirect Air Carrier Standard Security Program
(IACSSP), which applies to domestic indirect air carriers; (3) Domestic
Security Integration Program (DSIP), a voluntary program that applies
to domestic all cargo carriers; (4) the Twelve-Five Program, which
applies to certain operators of aircraft weighing 12,500 pounds of more
in scheduled or charter service that carry passengers, cargo, or both.
TSA's proposed air cargo security rule making proposes to change the 12-
5 weight requirement to "more than 12,500 pounds"; (5) Model Security
Program applies to foreign passenger air carriers; and (6) All-Cargo
International Security Procedures, which applies to each foreign air
carrier engaged in the transportation of cargo to, from, within, or
overflying the United States in all-cargo aircraft with a maximum
certified takeoff weight of 12,500 pounds or more.
[19] According to the Federal Aviation Administration, up to 60 percent
of the cargo transported by passenger air carriers is made up of break
bulk items. According to TSA, more recent estimates range from 30 to 40
percent.
[20] Given that the data on the estimated numbers of shippers, air
carriers, and shipping facilities are used for background purposes, we
did not assess the reliability of these data.
[21] In fiscal year 2003, almost 16 billion pounds of cargo was shipped
by air on international flights to and from the United States.
[22] Given that the estimated poundage of cargo shipped on all-cargo
and passenger air carriers and the estimated amount of revenue of air
cargo for air carriers in 2004 are presented for background purposes,
we did not assess the reliability of these data.
[23] Department of Homeland Security Appropriations Act, 2004, Pub. L.
No. 108-90, 117 Stat. 1137 (2003), H.R. Conf. Rep. No. 108-280, at 37
(2003).
[24] Department of Homeland Security Appropriations Act, 2005, Pub. L.
No. 108-334, 118 Stat. 1298 (2004), H.R. Conf. Rep. No. 108-774, at 51-
52 (2004).
[25] Pub. L. No. 108-458, §§ 4051-52, 118 Stat. at 3728-29. Congress
has yet to appropriate funds pursuant to this authorization.
[26] GAO-05-357T.
[27] GAO-05-357T.
[28] GAO-05-357T.
[29] The Government Performance and Results Act of 1993 (GPRA), Pub. L.
No. 103-62, 107 Stat. 285, focuses the federal government on providing
objective, results-oriented information to improve the efficiency and
effectiveness of federal programs, among other things. Under GPRA,
strategic plans are the starting point and basic underpinning for
results-oriented management.
[30] GAO-03-344.
[31] ASAC was established in 1989 in the wake of the crash of Pan Am
flight 103 to provide the federal government with expert consultation
on aviation security issues. ASAC is composed of 27 organizations with
a stake in securing the aviation sector. The ASAC working groups
include groups representing victims and survivors of terrorist acts,
indirect air carriers, aircraft owners, airports, aircraft
manufacturers, representatives of passenger and all-cargo airline
management and labor, and representatives of federal government
agencies. A complete list of ASAC representatives participating in the
air cargo working groups can be found in appendix IV.
[32] GAO-05-357T.
[33] National Commission on Terrorist Attacks upon the United States,
The 9/11 Commission Report: Final Report of the National Commission on
Terrorist Attacks upon the United States (Washington, D.C.: 2004). The
9/11 Commission was an independent, bipartisan commission created in
late 2002.
[34] Transportation assets include rail and maritime assets, in
addition to aviation assets.
[35] Specific information on these threats is considered sensitive
security information and is discussed in more detail in the restricted
version of this report, GAO-05-446SU.
[36] Specific information on these threats is considered sensitive
security information and is discussed in more detail in the restricted
version of this report, GAO-05-446SU.
[37] As we have previously reported, while threat assessments are a key
decision support tool, it should be recognized that even if updated
frequently, threat assessments might not adequately capture emerging
threats posed by some terrorist groups. No matter how much we know
about potential threats, we will never know whether we have identified
every threat or whether we have complete information even about the
threats of which we are aware. Consequently, a risk management approach
to help prepare for terrorism that supplements threat assessments with
vulnerability and criticality assessments can provide better assurance
of preparedness for a terrorist attack.
[38] Specific information on this threat is considered sensitive
security information and is discussed in more detail in the restricted
version of this report, GAO-05-446SU.
[39] FSDs are responsible for the day-to-day operational direction for
federal security at airports. Additionally, FSDs are the ranking TSA
authorities responsible for the leadership and coordination of TSA
security activities at airports.
[40] GAO, General Aviation Security: Increased Federal Oversight Is
Needed, but Continued Partnership with the Private Sector Is Critical
to Long-Term Success, GAO-05-144 (Washington, D.C. November 2004).
[41] GAO-05-357T.
[42] For example, Executive Order 13292--Further Amendment to Executive
Order 12958, as Amended, Classified National Security Information,
March 25, 2003--limits the distribution of classified information,
while 49 C.F.R. part 1520 limits TSA's ability to distribute sensitive
security information to persons with a need to know.
[43] In May 2005, TSA staff identified a number of potential
vulnerabilities across the air cargo supply chain, including those
related to entities involved in the air cargo shipping process.
[44] According to TSA, its Transportation Risk Assessment and
Vulnerability Evaluation Tool could be used to assess and analyze the
vulnerability of those air cargo system assets TSA determines to be
nationally critical. Specifically, the tool assesses an asset's
baseline security system and that system's effectiveness in detecting,
deterring, and preventing various threats scenarios. Established threat
scenarios contained in the tool outline a potential threat situation,
including the target, threatening act, aggressor type, and tactic/
dedication, among other things. In addition, the tool includes a cost
performance component that compares the costs of implementing a given
countermeasure with the reduction in relative risk to that
countermeasure. TSA's Vulnerability Identification Self-Assessment Tool
could be used to assess and analyze vulnerabilities for assets that TSA
determines to be less critical. This Web-based self-assessment tool is
intended to guide the user through a series of security-related
questions to develop a security baseline of the asset and provide
mitigation strategies for use when the national threat level is
increased.
[45] We previously reported that the National Cargo Security Council,
now referred to as the International Cargo Security Council, a
coalition of public and private transportation organizations, estimates
that cargo theft among all modes of transportation accounts for more
than $10 billion in merchandise losses each year. The FBI estimates
that the majority of cargo theft in the United States occurs in cargo
terminals, transfer facilities, and cargo consolidation areas. GAO,
Vulnerabilities and Potential Improvements for the Air Cargo System,
GAO-03-344 (Washington, D.C.: December 2002).
[46] TSA officials stated that air cargo security vulnerabilities were
considered but not fully addressed during joint FBI assessments of
airport security conducted in 2003. As a result, TSA considered these
assessment results of limited value in identifying the vulnerabilities
associated with the air cargo transportation system.
[47] On December 17, 2003, President Bush issued a Homeland Security
Presidential Directive (HSPD-7) addressing critical infrastructure
identification, prioritization, and protection. The directive calls for
federal departments and agencies to identify, prioritize, and
coordinate the protection of critical infrastructure and key resources
in order to prevent, deter, and mitigate the effects of deliberate
efforts to destroy, incapacitate, or exploit them. The directive also
requires federal departments and agencies to work with state and local
governments and the private sector to accomplish this objective. DHS's
Interim National Infrastructure Protection Plan was issued in February
2005. Transportation systems are 1 of 17 sectors identified in the
national infrastructure protection plan.
[48] The Intelligence Reform Act required the Department of Homeland
Security to develop a National Strategy for Transportation Security and
transportation sector specific security plans by April 1, 2005. On
April 5, 2005, the Department of Homeland Security issued a letter
notifying Congress that TSA has taken the departmental lead for
developing the national strategy but that its issuance would be delayed
by 2 to 3 months to allow for integration of various other strategic
transportation security documents.
[49] A breach of security does not necessarily mean that a threat was
imminent or successful. According to TSA officials, the significance of
a breach must be considered in light of several factors, including the
intent of the perpetrator, and whether existing security measures and
procedures successfully responded to and mitigated the breach so that
no harm to persons, facilities, or other assets resulted. A breach of
passenger security, for example, may occur when a passenger bypasses a
security checkpoint. Regarding airport access controls, a breach may
involve an unauthorized individual gaining access to a runway.
[50] The National Safe Skies Alliance is a nonprofit organization that
tests technology and often contracts with the federal government.
[51] Specific actions TSA has taken or required air carriers and
indirect air carriers to take to enhance the security of the nation's
air cargo transportation system are considered sensitive security
information and have therefore been removed from this report. A
description of these actions is provided in the restricted version of
this report, GAO-05-446SU.
[52] To become a certified TSA indirect air carrier, an entity must
provide TSA with a written application and meet certain eligibility
criteria.
[53] Specific TSA actions taken to identify indirect air carriers who
may pose a security risk are sensitive security information and
described in the restricted version of this report, GAO-05-446SU.
[54] Details on security actions and measures reported by air carriers
and indirect air carriers that exceed TSA requirements are discussed in
the restricted version of this report, GAO-05-446SU.
[55] According to TSA's Chief Counsel, screening is not limited to
inspection but may include a variety of methods for evaluating persons
and property. On the basis of the Chief Counsel's definition, TSA has
taken the position that identifying cargo as coming from a known
shipper constitutes screening.
[56] The Known Shipper program was created prior to the events of
September 11 to establish procedures for differentiating between
shippers that are known and unknown to an indirect air carrier or air
carrier. ATSA acknowledged that the Known Shipper program is a
mechanism for screening cargo placed on passenger aircraft. TSA
security requirements do not allow for unknown shipments to be placed
on passenger aircraft.
[57] Specific Known Shipper program requirements are considered
sensitive security information and are described in more detail in the
restricted version of this report, GAO-05-446SU.
[58] Prior to September 11, indirect air carriers were allowed to
accept cargo from unknown shippers for transport on passenger aircraft.
At that time, cargo from unknown shippers was required to be screened
by the indirect air carrier or identified to the passenger aircraft
operator so that the aircraft operator could screen the cargo. After
September 11, security directives and emergency amendments were issued
to both indirect air carriers and aircraft operators; these precluded
the transport of unknown shipper cargo on passenger aircraft. The
prohibition regarding unknown shipper cargo on passenger aircraft is
still in place today.
[59] Specific Known Shipper program weaknesses identified by local TSA
officials and air cargo industry associations are considered sensitive
security information and described in more detail in the restricted
version of this report, GAO-05-446SU.
[60] TSA security directives also require that passenger air carriers
only transport cargo from shippers that could either be verified
through the agency's automated Known Shipper database or from shippers
that meet other known shipper criteria.
[61] Specific problems identified with the Known Shipper program are
considered sensitive security information and described in more detail
in the restricted version of this report, GAO-05-446SU.
[62] Terrorist watch lists provide decision makers with information
about individuals who are known or suspected of being a terrorist,
among other things. These lists are developed, maintained, or used by
federal, state, and local government entities, as well as by private
sector entities, and contain various types of data.
[63] According to some industry estimates, the total population of
known shippers may range up to 3 million.
[64] Specific problems with TSA's Known Shipper database are considered
sensitive security information and described in the restricted version
of this report, GAO-05-446SU.
[65] The conference report accompanying the fiscal year 2005 Department
of Homeland Security Appropriations Act directs TSA to work more
aggressively to strengthen air cargo security by strengthening the
Known Shipper program to include regular security checks on all known
shippers to ensure that they are not compromising security standards.
[66] Information on other types of analyses that could be performed to
identify known shippers posing an elevated security risk is considered
sensitive security information and is discussed in more detail in the
restricted version of this report, GAO-05-446SU.
[67] TSA requirements described in aircraft operator standard security
programs and security directives allow air carriers to use several
methods and technologies to inspect air cargo, including manual
physical searches, X-ray systems, explosive trace detection systems,
decompression chambers, and explosive detection systems and TSA-
certified explosives detection canines for use in inspecting checked
baggage, among other methods.
[68] Details on the percentage of cargo required to be randomly
inspected are considered sensitive security information and described
in the restricted version of this report, GAO-05-446SU.
[69] Pub. L. No. 108-334, § 513, 118 Stat. at 1317.
[70] Details on the types of cargo transported on passenger and all-
cargo carriers exempt from TSA random inspection requirements are
considered sensitive security information. A description of these
exemptions is provided in the restricted version of this report, GAO-
05-446SU.
[71] Details on the specific items to be inspected by air carriers and
on how existing inspection exemptions may create potential risks
security risks and vulnerabilities are considered to be sensitive
security information and discussed in the restricted version of this
report, GAO-05-446SU.
[72] Estimates of the percentage of cargo inspected by air carriers are
considered sensitive security information and discussed in the
restricted version of this report, GAO-05-446SU.
[73] Details on the quality of air cargo inspections are considered
sensitive security information and discussed in the restricted version
of this report, GAO-05-446SU.
[74] TSA compliance inspections are fundamentally different from air
carriers' inspections of cargo. TSA inspections are designed to ensure
air carrier compliance with air cargo security requirements, while air
carrier inspections focus on ensuring that cargo does not contain
weapons, explosives, or stowaways.
[75] The PARIS database, established in July 2003, provides TSA a Web-
based method for entering, storing, and retrieving performance
activities and information on TSA-regulated entities, including air
carriers and indirect air carriers. PARIS includes profiles for each
entity, inspections conducted by TSA, incidents that occur throughout
the nation, such as instances of bomb threats, and investigations that
are prompted by incidents or inspection findings.
[76] We requested all of TSA's compliance inspection data, starting in
November 2001. According to TSA, agency efforts to conduct air cargo
compliance inspections during calendar years 2001 and 2002 were
minimal. Moreover, documentation of inspection results for that period
was problematic in part because of the way the Federal Aviation
Administration reported compliance inspection data, which made it
difficult to migrate the Federal Aviation Administration's data into
TSA's PARIS system.
[77] TSA reported conducting 40,372 inspections during the same period,
but we removed duplicate information found in the data. TSA did not
provide unique identification numbers for each inspection; therefore,
we developed a methodology for counting individual inspections based on
factors including type of inspection, entity inspected, and location
and date of inspection.
[78] The restricted version of this report, GAO-05-446SU, provides
information on the most frequently occurring violations by risk level,
as determined by TSA.
[79] GAO Internal Control Management and Evaluation Tool, GAO-01-1008G
(Washington, D.C.: August 2001).
[80] The percentages of air carrier and indirect air carrier facilities
inspected by TSA are estimates. In calculating these estimates, we
assumed that none of the indirect air carrier facilities inspected in
fiscal year 2004 were inspected before and that there were no
discrepancies or missing information in the data for fiscal years 2002
and 2003. As a result, the percentage of air carrier's stations and
indirect air carrier's facilities inspected during this period may be
lower. TSA did not provide us data to calculate the number of stations
and facilities visited for the period beginning in fiscal year 2005.
[81] Factors accounting for the limited number of TSA compliance
inspections of indirect air carrier facilities are sensitive security
information and discussed in the restricted version of this report, GAO-
05-446SU.
[82] Since September 1999, each indirect air carrier was required to
annually submit and maintain information on all its corporate and
satellite offices.
[83] According to TSA, special emphasis assessments are distinct from
agency efforts to conduct covert testing by TSA's office of Internal
Affairs and Program Review. Covert testing is typically done by
undercover TSA agents and includes testing the security procedures at
passenger check points and airport access controls.
[84] Results of TSA's tests are considered sensitive security
information and described in the sensitive security version of this
report, GAO-05-446SU.
[85] The statutory authority for TSA to issue fines and penalties to
individual air carriers and indirect air carriers for not complying
with established security procedures is 49 U.S.C. § 46301. The penalty
for an aviation security violation is found at 49 U.S.C. § 46301(a)(4)
and states that the maximum civil penalty for violating chapter 449 (49
U.S.C. §§ 44901 et seq.) or another requirement under this title
administered by the TSA's administrator shall be $10,000 except that
the maximum civil penalty shall be $25,000 in the case of a person
operating an aircraft for the transportation of passengers or property
for compensation.
[86] This percentage is based on TSA enforcement action data, which
include data for the period October 1, 2002, to December 31, 2002.
TSA's data on civil enforcement actions were provided by fiscal year
and not by month. Not including the data for October 1, 2002, to
December 31, 2002, could potentially increase the percentage of cases
for which TSA could not specify the action it took to resolve
identified security violations.
[87] These figures include data for the period October 1, 2002, to
December 31, 2002, as TSA's data on civil enforcement actions were
provided by fiscal year and not by month.
[88] GAO, Aviation Security: Better Management Controls are Needed to
Improve FAA's Safety Enforcement and Compliance Efforts, GAO-04-646
(Washington D.C.: July 2004), and GAO, Pipeline Safety: Management of
the Office of Pipeline Safety Enforcement Program Needs Further
Strengthening, GAO-04-801 (Washington D.C.: July 2004).
[89] On September 22 2005, TSA announced that the agency's planned
targeting system would undergo a "proof of concept" phase" before being
piloted. This phase would entail evaluating the system's potential
effectiveness in identifying elevated risk cargo, assessing data
quality related to cargo shipments, and recommending any necessary
modifications to the system.
[90] Details on TSA's planned Freight Assessment System are sensitive
security information. A description of the system is provided in the
restricted version of this report, GAO-05-446SU.
[91] CBP currently uses the Automated Targeting System to target
elevated risk international cargo for additional review or inspection.
[92] Commercial air carriers must submit specific cargo information to
CBP by "wheels up" in the case of aircraft departing for the United
States from any foreign place in America, north of the equator only.
Aircraft departing for the United States from any other foreign area
must provide information electronically no later than 4 hours prior to
arrival in the United States.
[93] TSA officials could not provide us with details on the Freight
Assessment System because such details have not yet been finalized
within DHS.
[94] GAO, Homeland Security: Challenges Remain in the Targeting of
Oceangoing Cargo Containers for Inspection, GAO-04-325NI (Washington,
D.C.: Feb. 20, 2004), and GAO, Container Security: A Flexible Staffing
Model and Minimum Equipment Requirements Would Improve Overseas
Targeting and Inspection Efforts, GAO-05-187SU (Washington, D.C.: April
2005).
[95] According to CBP officials, they continue to work on improving the
completeness and accuracy of oceangoing cargo manifest data. The
mandatory transmission of manifest data for U.S.-bound air cargo
shipments was not finalized until December 2004.
[96] CBP's Automated Targeting System uses targeting criteria to assign
a risk score to cargo shipments.
[97] Pub. L. No. 108-334, § 513, 118 Stat. at 1317.
[98] In the past TSA received research and development (R&D) funding.
For fiscal year 2006, TSA's R&D programs are permanently transferred to
the DHS Office of Science and Technology (S&T). A small amount of
resources will remain within TSA to assist with EDS testing, and
liaison with S&T for operational integration.
[99] ETD technology requires human operators to collect samples of
items to be inspected with swabs, which are chemically analyzed to
identify any traces of explosive material. Decompression chambers
simulate the pressures acting on aircraft which cause explosives that
are attached to barometric fuses to detonate.
[100] In addition to TSA's efforts to test current EDS technology, one
airport we visited was undertaking an independent air cargo inspection
pilot testing the effectiveness of different versions of X-ray
technology. According to airport officials, the inspection process was
time-consuming. Airport authority officials stated that they planned to
conduct additional inspection technology testing sometime in 2005.
[101] Throughput means the amount of cargo screened during a given
period of time, for example, per hour.
[102] We previously reported on the challenges associated with
developing and operating a maritime worker identification card program.
GAO, Port Security: Better Planning Needed to Develop and Operate
Maritime Worker Identification Card Program, GAO-05-106 (Washington,
D.C.: December 2004).
[103] GAO, Transportation Security R&D: TSA and DHS Are Researching and
Developing Technologies, but Need to Improve R&D Management, GAO-04-890
(Washington, D.C.: September 2004).
[104] TSA's proposed air cargo rule also includes measures for
enhancing the security of cargo transported by foreign air carriers
entering the United States. According to CBP, air carriers arriving
from foreign counties that are already members of the Customs-Trade
Partnership Against Terrorism program are required to have security
plans.
[105] Pub. L. No. 108-334, § 513, 118 Stat. at 1317.
[106] The conference report accompanying the fiscal 2005 Department of
Homeland Security Appropriations Act, which also contained the
requirement for tripling the inspection percentage, was available
approximately 1 month prior to the publication of TSA's proposed rule.
[107] TSA determined that the proposed regulatory action is not a major
rule within the definition of Executive Order 12866, as annual costs to
all affected parties do not pass the order's $100 million threshold in
any year. If the proposed cost estimates had exceeded the $100 million
threshold, TSA would have had to comply with Executive Order 12866's
requirement that TSA's analysis of its proposed air cargo security rule
consider the costs and benefits of reasonable alternative courses of
action and adequately explain the reasons for the proposed action.
[108] An airport's SIDA is not to be accessed by passengers and
typically encompasses areas near terminal buildings, baggage loading
areas, and other areas that are close to parked aircraft and airport
facilities, including air traffic control towers and runways used for
landing, taking off, or surface maneuvering.
[109] Pub. L. No. 108-458, § 4053, 118 Stat. at 3729.
[110] We selected 12 airports based on airport size, geographical
dispersion, and volume of cargo operations, based on cargo statistics
prepared by an industry stakeholder and the Federal Aviation
Administration. Information on the specific airports we visited is
sensitive security information and is listed in the restricted version
of this report, GAO-05-446SU.
[111] We observed testing of inspection technology pilot programs at
Boston Logan International Airport and Miami International Airport.
[112] We met with CBP officials based on the volume of cargo operations
at the airports we visited in which CBP has a service port. A service
port is a CBP location that has a full range of cargo-processing
functions, including inspections, entry, collections, and verification.
Information on specific service ports we visited is sensitive security
information and is listed in the restricted version of this report, GAO-
05-446SU.
[113] Our analysis was conducted using what is called Monte Carlo
simulation, which uses random numbers to measure the effects of
uncertainty.
[114] GAO-05-446SU.
[115] Phase I testing of the EDS pilot program took place at Ted
Stevens Anchorage International Airport, Atlanta Hartsfield-Jackson
International Airport, Chicago O'Hare International Airport, Dallas
Fort Worth International Airport. Los Angeles International Airport,
and Miami International Airport.
[116] The fiscal year 2006 Department of Homeland Security
appropriations bill, H.R. 2360, as passed by the House of
Representatives on May 17, 2005, proposes to require that TSA
utilize existing checked baggage explosive detection equipment and
screeners to screen cargo carried on passenger aircraft to the greatest
extent practical, and would require that TSA report monthly on the
amount of cargo screened by TSA. The Senate version of the bill, passed
on July 14, 2005, proposes to direct that DHS research, develop, and
procure certified systems to screen air cargo on passenger aircraft at
the earliest date possible.
[117] Ground support equipment is a wheeled cart, maneuvered by airline
tugs, used to move air cargo between airline cargo facilities and
aircraft. Rolling stock equipment is a bulk mail container used to
transport mail sacks and outside packages from a mail facility to the
airline mail screening location and then to the aircraft.
[End of section]
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site [hyperlink,
http://www.gao.gov] contains abstracts and full-text files of current
reports and testimony and an expanding archive of older products. The
Web site features a search engine to help you locate documents using
key words and phrases. You can print these documents in their entirety,
including charts and other graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
[hyperlink, http://www.gao.gov] and select "Subscribe to e-mail alerts"
under the "Order GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office:
441 G Street NW, Room LM:
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Gloria Jarmon, Managing Director, JarmonG@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Paul Anderson, Managing Director, AndersonP1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548: